The puppetlabs-firewall module is unable to parse rules of the form:
-A POSTROUTING ! -d 10.0.0.0/8 -m mark ! --mark 0x1 -m comment --comment "141 Local net" -j SNAT --to-source 192.168.111.200
The "-m mark --mark" syntax is not supported by the parser.
I managed to get this working by adding:
:simple_mark => "-m mark --mark
to the definition of resource_map in iptables.rb just after :ctstate, then including it in resource_list just before :name. I then had to copy/paste the newproperty(:connmark...) definition in firewall.rb for simple_mark.
This seems to work, but I don't know enough about ruby or puppet to know if this is a decent workaround (I doubt it!)