nftables to drop packets incoming for a cgroup

drop-packets-per-cgroup.nft

table ip myservice
delete table ip myservice

table ip myservice {
  chain incoming {
    type filter hook input priority filter; policy accept;

    # `level 5` must match the number of levels of directories in the cgroup
    socket cgroupv2 level 5 "user.slice/user-1000.slice/[email protected]/app.slice/[email protected]" counter
    socket cgroupv2 level 5 "user.slice/user-1000.slice/[email protected]/app.slice/[email protected]" drop
  }
}