diff --git a/criu/include/util.h b/criu/include/util.h
index 4334e69c2d..43ec4c2598 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -170,6 +170,7 @@ extern pid_t fork_and_ptrace_attach(int (*child_setup)(void));
 extern int cr_daemon(int nochdir, int noclose, int close_fd);
 extern int status_ready(void);
 extern int is_root_user(void);
+extern int is_iptables_nft(char *bin);
 
 extern int set_proc_self_fd(int fd);
 
diff --git a/criu/net.c b/criu/net.c
index 7109e6876a..20b67db01e 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -3180,15 +3180,31 @@ static inline int nftables_network_unlock(void)
 
 static int iptables_network_unlock_internal(void)
 {
-	char conf[] = "*filter\n"
-		      ":CRIU - [0:0]\n"
-		      "-D INPUT -j CRIU\n"
-		      "-D OUTPUT -j CRIU\n"
-		      "-X CRIU\n"
-		      "COMMIT\n";
+	char legacy_rules[] = "*filter\n"
+				":CRIU - [0:0]\n"
+				"-D INPUT -j CRIU\n"
+				"-D OUTPUT -j CRIU\n"
+				"-X CRIU\n"
+				"COMMIT\n";
+
+	char nft_rules[] = "*filter\n"
+				":CRIU - [0:0]\n"
+				"-D INPUT -j CRIU\n"
+				"-D INPUT -j CRIU\n"
+				"-D OUTPUT -j CRIU\n"
+				"-D OUTPUT -j CRIU\n"
+				"-X CRIU\n"
+				"COMMIT\n";
 	int ret = 0;
+	int conf_size = sizeof(legacy_rules) - 1;
+	char *conf = legacy_rules;
 
-	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
+	if (is_iptables_nft("iptables-restore") == 1) {
+		conf_size = sizeof(nft_rules) - 1;
+		conf = nft_rules;
+	}
+
+	ret |= iptables_restore(false, conf, conf_size);
 	if (kdat.ipv6)
 		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
 
diff --git a/criu/util.c b/criu/util.c
index 95ba0feda6..f08353ea5b 100644
--- a/criu/util.c
+++ b/criu/util.c
@@ -1637,7 +1637,7 @@ int cut_path_ending(char *path, char *ending)
 	return 0;
 }
 
-static int is_iptables_nft(char *bin)
+int is_iptables_nft(char *bin)
 {
 	int pfd[2] = { -1, -1 }, ret = -1;
 	char *cmd[] = { bin, "-V", NULL };