 | 1 | initial version |
The iptables and netfilter documentation have a lot about how to use marks but not how they are implemented.
External articles say that they are virtual (in the kernel) and never reach an interface where Wireshark can see them.
How --set-mark option works on Netfilter (IPTABLES)?
It's only purely virtual and internal, as it can have no existence on the wire.
A Deep Dive into Iptables and Netfilter Architecture
This table can also place an internal kernel “mark” on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel’s representation of the packet.
