--- zzzz-none-000/linux-4.9.276/net/netfilter/nfnetlink_queue.c	2021-07-20 14:21:16.000000000 +0000
+++ falcon-5530-750/linux-4.9.276/net/netfilter/nfnetlink_queue.c	2023-04-05 08:19:02.000000000 +0000
@@ -538,6 +538,12 @@
 	    nla_put_be32(skb, NFQA_MARK, htonl(entskb->mark)))
 		goto nla_put_failure;
 
+#if IS_ENABLED(CONFIG_NETWORK_EXTMARK)
+	if (entskb->extmark &&
+	    nla_put_be32(skb, NFQA_EXTMARK, htonl(entskb->extmark)))
+		goto nla_put_failure;
+#endif
+
 	if (indev && entskb->dev &&
 	    entskb->mac_header != entskb->network_header) {
 		struct nfqnl_msg_packet_hw phw;
@@ -984,6 +990,9 @@
 static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
 	[NFQA_VERDICT_HDR]	= { .len = sizeof(struct nfqnl_msg_verdict_hdr) },
 	[NFQA_MARK]		= { .type = NLA_U32 },
+#if IS_ENABLED(CONFIG_NETWORK_EXTMARK)
+	[NFQA_EXTMARK]		= { .type = NLA_U32 },
+#endif
 	[NFQA_PAYLOAD]		= { .type = NLA_UNSPEC },
 	[NFQA_CT]		= { .type = NLA_UNSPEC },
 	[NFQA_EXP]		= { .type = NLA_UNSPEC },
@@ -1196,6 +1205,11 @@
 	if (nfqa[NFQA_MARK])
 		entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK]));
 
+#if IS_ENABLED(CONFIG_NETWORK_EXTMARK)
+	if (nfqa[NFQA_EXTMARK])
+		entry->skb->extmark = ntohl(nla_get_be32(nfqa[NFQA_EXTMARK]));
+#endif
+
 	nf_reinject(entry, verdict);
 	return 0;
 }