.TP
[\fB!\fP] \fB\-\-path\fP \fIpath\fP
Match cgroup2 membership.

Each socket is associated with the v2 cgroup of the creating process.
This matches packets coming from or going to all sockets in the
sub-hierarchy of the specified path.  The path should be relative to
the root of the cgroup2 hierarchy.
.TP
[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
Match cgroup net_cls classid.

classid is the marker set through the cgroup net_cls controller.  This
option and \-\-path can't be used together.
.PP
Example:
.IP
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
.IP
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
\-j DROP
.PP
\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
matcher is currently only of limited functionality, meaning it
will only match on packets that are processed for local sockets
through early socket demuxing. Therefore, general usage on the
INPUT chain is not advised unless the implications are well
understood.
.PP
Available since Linux 3.14.