diff --git a/internal/firewalls/nftables/expration.go b/internal/firewalls/nftables/expration.go
index e85ec62..04e393d 100644
--- a/internal/firewalls/nftables/expration.go
+++ b/internal/firewalls/nftables/expration.go
@@ -40,7 +40,10 @@ func (this *Expiration) Remove(key []byte) {
 
 func (this *Expiration) Contains(key []byte) bool {
 	this.locker.RLock()
-	_, ok := this.m[string(key)]
+	expires, ok := this.m[string(key)]
+	if ok && expires.Year() > 2000 && time.Now().After(expires) {
+		ok = false
+	}
 	this.locker.RUnlock()
 	return ok
 }
@@ -55,7 +58,7 @@ func (this *Expiration) gc() {
 
 	var now = time.Now().Add(-10 * time.Second) // gc elements expired before 10 seconds ago
 	for key, expires := range this.m {
-		if expires.Year() >= 2000 && now.After(expires) {
+		if expires.Year() > 2000 && now.After(expires) {
 			delete(this.m, key)
 		}
 	}
diff --git a/internal/firewalls/nftables/expration_test.go b/internal/firewalls/nftables/expration_test.go
index cd894a4..c477b4d 100644
--- a/internal/firewalls/nftables/expration_test.go
+++ b/internal/firewalls/nftables/expration_test.go
@@ -17,6 +17,14 @@ func TestExpiration_Add(t *testing.T) {
 		expiration.Add([]byte{'a', 'b', 'c'}, time.Now())
 		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
 	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(1*time.Second))
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Time{})
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
 	{
 		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(-1*time.Second))
 		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))