In Linux, is there a way to block all listening points at 0.0.0.0/[::] outside a VRF and have "net.ipv4.tcp_l3mdev_accept" enabled at same time?

In Linux, if I enable net.ipv4.tcp_l3mdev_accept with sysctl utility, I can reach all TCP ports listening at 0.0.0.0/[::] if there is a reachable IP inside a VRF. The listening point can belong to a process outside the VRF (not bound with SO_BINDTODEVICE or running with "ip vrf exec \"). > sudo sysctl -w net.ipv4.tcp_l3mdev_accept=1 Inside a VRF, is there a way to block all TCP listening points belonging to processes running outside the VRF and have net.ipv4.tcp_l3mdev_accept enabled at same time?