I have successfully used a mask in a mark match:
iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
and had the packets flow as desired.

It was not documented that a mask would work with
-j MARK --set-mark <number>/<mask>, but I tried
anyway.
I used <number> = 0xFF000000 (which does work by itself)
with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
with <mask> = 0xFF000000 and got the error message:
"Bad MARK value `<number>/<mask>'

I could read the existing nfmark, add the second one, and set
the summed nfmark, but I do not see any way to read an nfmark
in iptables.

I do see a solution using the mark match to identify the current
nfmark/mask (one rule for each possible nfmark) with the new nfmark
equal to the sum of the matching nfmark/mask and the nfmark
of the second use, but that gets clunky very quickly as the number
of possible nfmarks increases and it forces each use to know
which nfmarks the other is using (== reduced modularity).

Any help would be greatly appreciated and attributed in the project.

Thank you.

Bill Chappell
 
 
 

-- 
William Chappell,     Software Engineer,     Critical Technologies, Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com