diff -ur ../criu-3.19/criu/cr-dump.c criu-3.19/criu/cr-dump.c
--- ../criu-3.19/criu/cr-dump.c	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/cr-dump.c	2024-12-17 09:53:58.545908685 +0100
@@ -2182,7 +2182,7 @@
 	if (collect_pstree_ids())
 		goto err;
 
-	if (network_lock())
+	if (network_lock(&he))
 		goto err;
 
 	if (rpc_query_external_files())
diff -ur ../criu-3.19/criu/cr-restore.c criu-3.19/criu/cr-restore.c
--- ../criu-3.19/criu/cr-restore.c	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/cr-restore.c	2024-12-17 09:29:47.771542239 +0100
@@ -2359,7 +2359,7 @@
 		 * the '--empty-ns net' mode no iptables C/R is done and we
 		 * need to return these rules by hands.
 		 */
-		ret = network_lock_internal();
+		ret = network_lock_internal(NULL);
 		if (ret)
 			goto out_kill;
 	}
diff -ur ../criu-3.19/criu/image.c criu-3.19/criu/image.c
--- ../criu-3.19/criu/image.c	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/image.c	2024-12-17 09:56:13.751949657 +0100
@@ -25,6 +25,7 @@
 TaskKobjIdsEntry *root_ids;
 u32 root_cg_set;
 Lsmtype image_lsm;
+char nft_lock_table[32];
 
 int check_img_inventory(bool restore)
 {
@@ -99,6 +100,9 @@
 		} else {
 			opts.network_lock_method = he->network_lock_method;
 		}
+
+		if (he->nft_lock_table)
+			strncpy(nft_lock_table, he->nft_lock_table, sizeof(nft_lock_table) - 1);
 	}
 
 	ret = 0;
diff -ur ../criu-3.19/criu/include/net.h criu-3.19/criu/include/net.h
--- ../criu-3.19/criu/include/net.h	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/include/net.h	2024-12-17 09:27:40.578168778 +0100
@@ -29,9 +29,10 @@
 
 extern int collect_net_namespaces(bool for_dump);
 
-extern int network_lock(void);
+#include "images/inventory.pb-c.h"
+extern int network_lock(InventoryEntry *he);
 extern void network_unlock(void);
-extern int network_lock_internal(void);
+extern int network_lock_internal(InventoryEntry *he);
 
 extern struct ns_desc net_ns_desc;
 
diff -ur ../criu-3.19/criu/net.c criu-3.19/criu/net.c
--- ../criu-3.19/criu/net.c	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/criu/net.c	2024-12-17 09:53:25.370199544 +0100
@@ -229,6 +229,8 @@
 	"max_dgram_qlen",
 };
 
+extern char nft_lock_table[32];
+
 /*
  * MAX_CONF_UNIX_PATH = (sizeof(CONF_UNIX_FMT) - strlen("%s"))
  * 					  + MAX_CONF_UNIX_OPT_PATH
@@ -3053,21 +3055,34 @@
 	return ret;
 }
 
-static inline int nftables_lock_network_internal(void)
+static inline int nftables_lock_network_internal(InventoryEntry *he)
 {
 #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
 	struct nft_ctx *nft;
 	int ret = 0;
 	char table[32];
 	char buf[128];
+	FILE *fp;
 
 	if (nftables_get_table(table, sizeof(table)))
 		return -1;
 
+	if (he) {
+		he->nft_lock_table = strdup(table);
+	}
+
 	nft = nft_ctx_new(NFT_CTX_DEFAULT);
 	if (!nft)
 		return -1;
 
+	fp = fdopen(log_get_fd(), "w");
+	if (!fp) {
+		pr_perror("fdopen() failed");
+		goto err3;
+	}
+	nft_ctx_set_output(nft, fp);
+	nft_ctx_set_error(nft, fp);
+
 	snprintf(buf, sizeof(buf), "create table %s", table);
 	if (NFT_RUN_CMD(nft, buf))
 		goto err2;
@@ -3094,6 +3109,9 @@
 	snprintf(buf, sizeof(buf), "delete table %s", table);
 	NFT_RUN_CMD(nft, buf);
 err2:
+	fflush(fp);
+	fclose(fp);
+err3:
 	ret = -1;
 	pr_err("Locking network failed using nftables\n");
 out:
@@ -3130,7 +3148,7 @@
 	return ret;
 }
 
-int network_lock_internal(void)
+int network_lock_internal(InventoryEntry *he)
 {
 	int ret = 0, nsret;
 
@@ -3143,7 +3161,7 @@
 	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
 		ret = iptables_network_lock_internal();
 	else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
-		ret = nftables_lock_network_internal();
+		ret = nftables_lock_network_internal(he);
 
 	if (restore_ns(nsret, &net_ns_desc))
 		ret = -1;
@@ -3158,18 +3176,34 @@
 	struct nft_ctx *nft;
 	char table[32];
 	char buf[128];
+	FILE *fp;
 
-	if (nftables_get_table(table, sizeof(table)))
-		return -1;
+	if (nft_lock_table[0] != 0) {
+		strncpy(table, nft_lock_table, sizeof(table));
+	} else {
+		if (nftables_get_table(table, sizeof(table)))
+			return -1;
+	}
 
 	nft = nft_ctx_new(NFT_CTX_DEFAULT);
 	if (!nft)
 		return -1;
 
+	fp = fdopen(log_get_fd(), "w");
+	if (!fp) {
+		pr_perror("fdopen() failed");
+		nft_ctx_free(nft);
+		return -1;
+	}
+	nft_ctx_set_output(nft, fp);
+	nft_ctx_set_error(nft, fp);
+
 	snprintf(buf, sizeof(buf), "delete table %s", table);
 	if (NFT_RUN_CMD(nft, buf))
 		ret = -1;
 
+	fflush(fp);
+	fclose(fp);
 	nft_ctx_free(nft);
 	return ret;
 #else
@@ -3216,7 +3250,7 @@
 	return ret;
 }
 
-int network_lock(void)
+int network_lock(InventoryEntry *he)
 {
 	pr_info("Lock network\n");
 
@@ -3230,10 +3264,10 @@
 	if (run_scripts(ACT_NET_LOCK))
 		return -1;
 
-	return network_lock_internal();
+	return network_lock_internal(he);
 }
 
-void network_unlock(void)
+void network_unlock()
 {
 	pr_info("Unlock network\n");
 
diff -ur ../criu-3.19/images/inventory.proto criu-3.19/images/inventory.proto
--- ../criu-3.19/images/inventory.proto	2023-11-28 01:47:16.000000000 +0100
+++ criu-3.19/images/inventory.proto	2024-12-17 09:21:55.378011178 +0100
@@ -21,4 +21,5 @@
 	optional uint32			pre_dump_mode	= 9;
 	optional bool			tcp_close	= 10;
 	optional uint32			network_lock_method	= 11;
+	optional string			nft_lock_table	= 13;
 }