diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine
index 593e1903159..2c58c910e7a 100644
--- a/scripts/build/Dockerfile.alpine
+++ b/scripts/build/Dockerfile.alpine
@@ -33,6 +33,7 @@ RUN make mrproper && date && make -j $(nproc) CC="$CC" && date
 RUN apk add \
 	ip6tables \
 	iptables \
+	iptables-legacy \
 	nftables \
 	iproute2 \
 	tar \
diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 07d3bc6e218..fb856d55b41 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -85,7 +85,8 @@ TST_NOFILE	:=				\
 		socket-tcp4v6			\
 		socket-tcp-local		\
 		socket-tcp-reuseport		\
-		socket-tcp-nfconntrack		\
+		socket-tcp-ipt-nfconntrack	\
+		socket-tcp-nft-nfconntrack	\
 		socket-tcp6-local		\
 		socket-tcp4v6-local		\
 		socket-tcpbuf			\
@@ -277,7 +278,7 @@ pkg-config-check = $(shell sh -c '$(PKG_CONFIG) $(1) && echo y')
 ifeq ($(call pkg-config-check,libbpf),y)
 TST_NOFILE	+=				\
 		bpf_hash			\
-		bpf_array			
+		bpf_array
 endif
 
 ifneq ($(ARCH),arm)
@@ -598,7 +599,8 @@ socket-tcpbuf6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp4v6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV4V6
 socket-tcp-local:	CFLAGS += -D ZDTM_TCP_LOCAL
-socket-tcp-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_CONNTRACK
+socket-tcp-ipt-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_IPT_CONNTRACK
+socket-tcp-nft-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_NFT_CONNTRACK
 socket_listen6:		CFLAGS += -D ZDTM_IPV6
 socket_listen4v6:	CFLAGS += -D ZDTM_IPV4V6
 socket-tcp6-closed:	CFLAGS += -D ZDTM_IPV6
diff --git a/test/zdtm/static/socket-tcp-nfconntrack.c b/test/zdtm/static/socket-tcp-ipt-nfconntrack.c
similarity index 100%
rename from test/zdtm/static/socket-tcp-nfconntrack.c
rename to test/zdtm/static/socket-tcp-ipt-nfconntrack.c
diff --git a/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc b/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
new file mode 100644
index 00000000000..53dd822854d
--- /dev/null
+++ b/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
@@ -0,0 +1,6 @@
+{
+    'feature': 'has_ipt_legacy',
+    'flavor': 'h',
+    'opts': '--tcp-established',
+    'flags': 'suid'
+}
diff --git a/test/zdtm/static/socket-tcp-nfconntrack.desc b/test/zdtm/static/socket-tcp-nfconntrack.desc
deleted file mode 100644
index add2513f819..00000000000
--- a/test/zdtm/static/socket-tcp-nfconntrack.desc
+++ /dev/null
@@ -1 +0,0 @@
-{'flavor': 'h', 'opts': '--tcp-established', 'flags': 'suid'}
diff --git a/test/zdtm/static/socket-tcp-nft-nfconntrack.c b/test/zdtm/static/socket-tcp-nft-nfconntrack.c
new file mode 100644
index 00000000000..9830c7860a4
--- /dev/null
+++ b/test/zdtm/static/socket-tcp-nft-nfconntrack.c
@@ -0,0 +1,240 @@
+#include "zdtmtst.h"
+
+#ifdef ZDTM_IPV4V6
+#define ZDTM_FAMILY	AF_INET
+#define ZDTM_SRV_FAMILY AF_INET6
+#elif defined(ZDTM_IPV6)
+#define ZDTM_FAMILY	AF_INET6
+#define ZDTM_SRV_FAMILY AF_INET6
+#else
+#define ZDTM_FAMILY	AF_INET
+#define ZDTM_SRV_FAMILY AF_INET
+#endif
+
+const char *test_doc = "Check, that a TCP connection can be restored\n";
+const char *test_author = "Andrey Vagin <avagin@parallels.com";
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <sched.h>
+#include <netinet/tcp.h>
+
+static int port = 8880;
+
+#define BUF_SIZE 4096
+
+int read_data(int fd, unsigned char *buf, int size)
+{
+	int cur = 0;
+	int ret;
+	while (cur != size) {
+		ret = read(fd, buf + cur, size - cur);
+		if (ret <= 0)
+			return -1;
+		cur += ret;
+	}
+
+	return 0;
+}
+
+int write_data(int fd, const unsigned char *buf, int size)
+{
+	int cur = 0;
+	int ret;
+
+	while (cur != size) {
+		ret = write(fd, buf + cur, size - cur);
+		if (ret <= 0)
+			return -1;
+		cur += ret;
+	}
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	unsigned char buf[BUF_SIZE];
+	int fd, fd_s;
+	pid_t extpid;
+	uint32_t crc;
+	int pfd[2];
+	int val;
+	socklen_t optlen;
+
+#ifdef ZDTM_IPT_CONNTRACK
+	if (unshare(CLONE_NEWNET)) {
+		pr_perror("unshare");
+		return 1;
+	}
+	if (system("ip link set up dev lo"))
+		return 1;
+
+	if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+		return 1;
+	if (system("iptables-legacy -w -A INPUT -j DROP"))
+		return 1;
+
+#endif
+
+#ifdef ZDTM_NFT_CONNTRACK
+	if (unshare(CLONE_NEWNET)) {
+		pr_perror("unshare");
+		return 1;
+	}
+	if (system("ip link set up dev lo"))
+		return 1;
+
+	if (system("nft add table ip filter"))
+		return 1;
+	if (system("nft add chain ip filter INPUT"))
+		return 1;
+	if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
+		return 1;
+	if (system("nft add rule ip filter INPUT counter drop"))
+		return 1;
+
+#endif
+
+#ifdef ZDTM_TCP_LOCAL
+	test_init(argc, argv);
+#endif
+
+	if (pipe(pfd)) {
+		pr_perror("pipe() failed");
+		return 1;
+	}
+
+	extpid = fork();
+	if (extpid < 0) {
+		pr_perror("fork() failed");
+		return 1;
+	} else if (extpid == 0) {
+#ifndef ZDTM_TCP_LOCAL
+		test_ext_init(argc, argv);
+#endif
+
+		close(pfd[1]);
+		if (read(pfd[0], &port, sizeof(port)) != sizeof(port)) {
+			pr_perror("Can't read port");
+			return 1;
+		}
+
+		fd = tcp_init_client(ZDTM_FAMILY, "localhost", port);
+		if (fd < 0)
+			return 1;
+
+#ifdef STREAM
+		while (1) {
+			if (read_data(fd, buf, BUF_SIZE)) {
+				pr_perror("read less then have to");
+				return 1;
+			}
+			if (datachk(buf, BUF_SIZE, &crc))
+				return 2;
+
+			datagen(buf, BUF_SIZE, &crc);
+			if (write_data(fd, buf, BUF_SIZE)) {
+				pr_perror("can't write");
+				return 1;
+			}
+		}
+#else
+		if (read_data(fd, buf, BUF_SIZE)) {
+			pr_perror("read less then have to");
+			return 1;
+		}
+		if (datachk(buf, BUF_SIZE, &crc))
+			return 2;
+
+		datagen(buf, BUF_SIZE, &crc);
+		if (write_data(fd, buf, BUF_SIZE)) {
+			pr_perror("can't write");
+			return 1;
+		}
+#endif
+		return 0;
+	}
+
+#ifndef ZDTM_TCP_LOCAL
+	test_init(argc, argv);
+#endif
+
+	if ((fd_s = tcp_init_server(ZDTM_SRV_FAMILY, &port)) < 0) {
+		pr_err("initializing server failed\n");
+		return 1;
+	}
+
+	close(pfd[0]);
+	if (write(pfd[1], &port, sizeof(port)) != sizeof(port)) {
+		pr_perror("Can't send port");
+		return 1;
+	}
+	close(pfd[1]);
+
+	/*
+	 * parent is server of TCP connection
+	 */
+	fd = tcp_accept_server(fd_s);
+	if (fd < 0) {
+		pr_err("can't accept client connection\n");
+		return 1;
+	}
+
+	val = 1;
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val))) {
+		pr_perror("setsockopt");
+		return 1;
+	}
+
+	test_daemon();
+#ifdef STREAM
+	while (test_go()) {
+		datagen(buf, BUF_SIZE, &crc);
+		if (write_data(fd, buf, BUF_SIZE)) {
+			pr_perror("can't write");
+			return 1;
+		}
+
+		if (read_data(fd, buf, BUF_SIZE)) {
+			pr_perror("read less then have to");
+			return 1;
+		}
+		if (datachk(buf, BUF_SIZE, &crc))
+			return 2;
+	}
+	kill(extpid, SIGKILL);
+#else
+	test_waitsig();
+
+	datagen(buf, BUF_SIZE, &crc);
+	if (write_data(fd, buf, BUF_SIZE)) {
+		pr_perror("can't write");
+		return 1;
+	}
+
+	if (read_data(fd, buf, BUF_SIZE)) {
+		pr_perror("read less then have to");
+		return 1;
+	}
+	if (datachk(buf, BUF_SIZE, &crc))
+		return 2;
+#endif
+	optlen = sizeof(val);
+	if (getsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, &optlen)) {
+		pr_perror("getsockopt");
+		return 1;
+	}
+	if (val != 1) {
+		fail("SO_REUSEADDR are not set for %d", fd);
+		return 1;
+	}
+
+	pass();
+	return 0;
+}
diff --git a/test/zdtm/static/socket-tcp-nft-nfconntrack.desc b/test/zdtm/static/socket-tcp-nft-nfconntrack.desc
new file mode 100644
index 00000000000..38a4eb3897f
--- /dev/null
+++ b/test/zdtm/static/socket-tcp-nft-nfconntrack.desc
@@ -0,0 +1,7 @@
+{
+    'flavor': 'h',
+    'feature': 'network_lock_nftables',
+    'opts': '--tcp-established',
+    'dopts': '--network-lock nftables',
+    'flags': 'suid'
+}
diff --git a/test/zdtm/static/socket-tcp.c b/test/zdtm/static/socket-tcp.c
index f6ef473853d..9830c7860a4 100644
--- a/test/zdtm/static/socket-tcp.c
+++ b/test/zdtm/static/socket-tcp.c
@@ -67,17 +67,38 @@ int main(int argc, char **argv)
 	int val;
 	socklen_t optlen;
 
-#ifdef ZDTM_CONNTRACK
+#ifdef ZDTM_IPT_CONNTRACK
 	if (unshare(CLONE_NEWNET)) {
 		pr_perror("unshare");
 		return 1;
 	}
 	if (system("ip link set up dev lo"))
 		return 1;
-	if (system("iptables -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+
+	if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+		return 1;
+	if (system("iptables-legacy -w -A INPUT -j DROP"))
+		return 1;
+
+#endif
+
+#ifdef ZDTM_NFT_CONNTRACK
+	if (unshare(CLONE_NEWNET)) {
+		pr_perror("unshare");
 		return 1;
-	if (system("iptables -w -A INPUT -j DROP"))
+	}
+	if (system("ip link set up dev lo"))
+		return 1;
+
+	if (system("nft add table ip filter"))
 		return 1;
+	if (system("nft add chain ip filter INPUT"))
+		return 1;
+	if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
+		return 1;
+	if (system("nft add rule ip filter INPUT counter drop"))
+		return 1;
+
 #endif
 
 #ifdef ZDTM_TCP_LOCAL