with firewalld is it possible to use an invert ipset as source?

with firewalld I can make a rule like this: (note the invert="True") firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" invert="True" drop' and I can specify that for certain sources I need them treated as part of a zone with this: firewall-cmd --permanent --zone=external --add-source=ipset:knowns Is it possible to invert this and say make sure any ip that is not in the ipset is treated as a part of another specified zone? I have had a look at the man page, and I can not find any indication whether this is possible.