systemd.resource-control(5) used to have a parameter "NetClass", added in v227, 2015-10-07 but it is removed in v229 because this cgroup parameter will not be in unified cgroup hierarchy and systemd wants to go towards that. So tcd would need to write in the cgroup file itself on cgroup-v1, or use something around xt_cgroup (see the thread on "xt_cgroup cgroup2 path match")
Add methods to configure per systemd service traffic control. It could use the net_cls cgroup and the tc-cgroup classifier.
systemd.resource-control(5) used to have a parameter "NetClass", added in v227, 2015-10-07 but it is removed in v229 because this cgroup parameter will not be in unified cgroup hierarchy and systemd wants to go towards that. So tcd would need to write in the cgroup file itself on cgroup-v1, or use something around xt_cgroup (see the thread on "xt_cgroup cgroup2 path match")
Making this work on ingress traffic is not easy, since the ingress qdisc is performed sooner in the Linux network stack than the socket lookup. It requires using the iptables' conntrack --save-mark/--restore-mark options and the tc connmark action.