diff --git a/manifests/nftables/docker_expose.pp b/manifests/nftables/docker_expose.pp
index 31e7066ea..75d56bd35 100644
--- a/manifests/nftables/docker_expose.pp
+++ b/manifests/nftables/docker_expose.pp
@@ -52,9 +52,18 @@
           notify => Service['nftables'],
           ;
       }
-      sunet::nftables::allow { "expose-allow-${safe_name}":
-        from => 'any',
-        port => $port,
+      if ($allow_clients =~ Array[String, 1]) or ($allow_clients =~ String[1]) {
+        sunet::nftables::allow { "expose-allow-${safe_name}":
+          from => $allow_clients,
+          port => $port,
+          proto => $proto,
+        }
+      } else {
+          sunet::nftables::allow { "expose-allow-${safe_name}":
+            from => any,
+            port => $port,
+            proto => $proto,
+          }
       }
   }
 }