It's is not possible to use firewall marks as matching criteria, neither in firewall and in policy route.
Firewall matchers:
vyos@vyos-suri# set firewall ipv4 name FOO rule 10 Possible completions: action Rule action + connection-mark Connection mark > connection-status Connection status description Description > destination Destination parameters disable Option to disable firewall rule + dscp DSCP value + dscp-exclude DSCP value not to match > fragment IP fragment match > icmp ICMP type and code information > inbound-interface Match inbound-interface > ipsec Inbound IPsec packets jump-target Set jump target. Action jump must be defined to use this setting > limit Rate limit using a token bucket filter log Option to log packets matching rule > log-options Log options > outbound-interface Match outbound-interface + packet-length Payload size in bytes, including header and data to match + packet-length-exclude Payload size in bytes, including header and data not to match packet-type Packet type protocol Protocol to match (protocol name, number, or "all") queue Queue target to use. Action queue must be defined to use this setting + queue-options Options used for queue target. Action queue must be defined to use this setting > recent Parameters for matching recently seen sources > source Source parameters > state Session state > tcp TCP flags to match > time Time to match rule > ttl Time to live limit
Policy route matchers:
vyos@vyos-suri# set policy route FOO rule 10 Possible completions: action Rule action + connection-mark Connection mark description Description > destination Destination parameters disable Option to disable firewall rule + dscp DSCP value + dscp-exclude DSCP value not to match > fragment IP fragment match > icmp ICMP type and code information > ipsec Inbound IPsec packets > limit Rate limit using a token bucket filter log Option to log packets matching rule + packet-length Payload size in bytes, including header and data to match + packet-length-exclude Payload size in bytes, including header and data not to match packet-type Packet type protocol Protocol to match (protocol name, number, or "all") (default: all) > recent Parameters for matching recently seen sources > set Packet modifications > source Source parameters > state Session state > tcp TCP flags to match > time Time to match rule > ttl Time to live limit
It would be useful in some cases to be able to use firewall marks as option in firewall/policy