How to setup iptables filtering on a network interface with a subnet based on per-application isolation using cgroups v2 in Linux?

I have been trying to setup a per-application filtering on a network interface using cgroups v2 but I can't. Here is an example using network namespaces and veth pairs: ip netns add somenetns ip link add foo type veth peer name bar netns somenetns ip link set foo up ip -4 addr add 10.0.0.1/24 dev foo ip -6 addr add fd00::1/64 dev foo ip netns exec somenetns ip link set bar up ip netns exec somenetns ip -4 addr add 10.0.0.2/24 dev bar ip netns exec somenetns ip -6 addr add fd00::2/64 dev bar ip netns exec somenetns ip -4 route add default via 10.0.0.1 dev bar ip netns exec somenetns ip -6 route add default via fd00::1 dev bar ip netns exec somenetns ip link set lo up What I want is to make only applications running inside certain cgroup to have their listening points available to the subnet of network interface (in the case of network namespace, have 10.0.0.1 available inside network namespace). I ran a basic TCP server listening on IP of network interface: # sudo bash -c "echo \$\$ >> /sys/fs/cgroup/blah/cgroup.procs; nc -k -l 10.0.0.1 1234" # sudo ip netns exec nsx nc -z 10.0.0.1 1234 Connection to 10.0.0.1 1234 port [tcp/*] succeeded! Connection is made. But when I try to apply some iptables rules, it fails: iptables -A INPUT -i foo -m cgroup --path blah -j ACCEPT iptables -A INPUT -i foo -j DROP iptables -A OUTPUT -o foo -m cgroup --path blah -j ACCEPT iptables -A OUTPUT -o foo -j DROP # time sudo ip netns exec nsx nc -z 10.0.0.1 1234 ^C real 0m37.504s user 0m0.000s sys 0m0.003s Is there a way to make a listening point in the IP of a network interface available to its subnet being the program which is listening, is inside a cgroup and filter all the rest? If it is possible to do that, what would be the correct iptables rules that I must apply?