using iptables marks or ipsets

[f1-outsourcing]

I have multiple ipsets the /24 is having around 50k entries. I was thinking of not dropping or rejecting this traffic. But redirecting it to a page. Sort of what cloudflare is doing.
I thought maybe a good performing if eg iptables could mark traffic and mod_security could use that in their rules. Or maybe even better, have mod_security access ipsets directly?

I have the impression this does not exist yet, is there maybe an alternative I don't know about?

[airween]

Hi @f1-outsourcing,

I'm afraid mod_security2 (more precisely the Apache) can't access the marked parts of an IP packet - of if it does, you can't access them through any variable. Therefore you can't control them (redirect, etc...).

But if you have the exact list, and use Apache (you added the label [2.x]), then you should do that on Apache side. You don't need to delegate this task to ModSecurity IMHO.