What's the recommended way to configure IP rules with mark in OpenWrt to avoid the reverse path filter (rpfilter) blocking traffic?
Often the rpfilter will block (response) traffic when you use IP rules with mark. That's because rpfilter won't respect the firewall mark unless enabled with net.ipv4.conf.<IFACE>.src_valid_mark=1. In this case you also need to save and restore the firewall mark, and make sure packets can be forwarded correctly in both directions with the mark set.
It's also possible to disable rpfilter globally in /etc/sysctl.d/,:
I'm using ipset in dnsmasq to route some DNS domains via a GRE tunnel.
A rule in the prerouting chain of the mangle table marks the packets that matches the IP set. Then an IP rule looks up a table with a default route on the GRE tunnel.
The IPv4 traffic from the GRE tunnel is blocked unless I disable rpfilter or enable src_valid_mark. The latter also requires me to save and restore the mark. It also forced me to move the default route from the main to the default table, and to put the IP rule mentioned above between the main and default rules. Otherwise also the traffic from the GRE tunnel would match the IP rule.
32766: from all lookup main
32766: from all fwmark 0x1 lookup 300
32767: from all lookup default
(A better solution might be to generate routes for the IP addresses instead of adding them to IP sets. The host routes would replace the default route to the GRE tunnel and avoid problems with rpfilter. But it would require extending dnsmasq or another DNS forwarder.)