`set_mark` not usable in Filter table

[ba0f3]

Describe the Bug

While attempting to translate Tailscale iptables rules into puppetlabs-firewall code, I encountered an issue using the set_mark parameter within the filter table's FORWARD chain. The original iptables rule that works is as follows:

-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000

This rule was translated into Puppet code:

firewall { '011 MARK traffic for Tailscale':
  chain   => 'ts-forward',
  iniface => 'tailscale0',
  jump  => 'mark',
  set_mark => '0x40000/0xff0000',
}

However, this results in the following runtime error:

 /tmp/d20241022-4294-1o88qvo/modules/firewall/lib/puppet/type/firewall.rb:2409:in `block (2 levels) in <top (required)>': Parameter set_mark only applies to the mangle table and when jump => MARK (RuntimeError)
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2300:in `block in validate'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2405:in `validate_resource'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2391:in `initialize'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:512:in `new'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:512:in `to_ral'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:610:in `block in to_catalog'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:602:in `each'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:602:in `to_catalog'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:495:in `to_ral'
        from /tmp/1ef13f46-3dc8-4e48-877c-8af603999b9c/apply_catalog.rb:101:in `block in <main>'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
        from /tmp/1ef13f46-3dc8-4e48-877c-8af603999b9c/apply_catalog.rb:93:in `<main>'

The problem seems to stem from puppetlabs-firewall restricting the set_mark parameter to the mangle table, even though marking traffic is valid in the filter table (as demonstrated in the original iptables rule).

Expected Behavior

The set_mark parameter should be allowed in the filter table (specifically within the FORWARD chain) when marking traffic, similar to how iptables allows the --set-xmark flag in a filter chain.

Steps to Reproduce

Steps to reproduce the behavior:
describe a firewall rule as above

Environment

• firewall 5.0.0