1.TP 2[\fB!\fP] \fB\-\-path\fP \fIpath\fP 3Match cgroup2 membership. 4 5Each socket is associated with the v2 cgroup of the creating process. 6This matches packets coming from or going to all sockets in the 7sub-hierarchy of the specified path. The path should be relative to 8the root of the cgroup2 hierarchy. 9.TP 10[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP 11Match cgroup net_cls classid. 12 13classid is the marker set through the cgroup net_cls controller. This 14option and \-\-path can't be used together. 15.PP 16Example: 17.IP 18iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP 19.IP 20iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 21\-j DROP 22.PP 23\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup 24matcher is currently only of limited functionality, meaning it 25will only match on packets that are processed for local sockets 26through early socket demuxing. Therefore, general usage on the 27INPUT chain is not advised unless the implications are well 28understood. 29.PP 30Available since Linux 3.14. 31