Running Ubuntu 12.10 on amd64.

I'm trying to set up different routing rules for a particular user. I understand that the right way to do this is to create a firewall rule that marks the packets for that user, and add a routing rule for that mark. Just to get testing going, I've added a rule that discards all packets as unreachable:

# ip rule
0:  from all lookup local
32765:  from all fwmark 0x1 unreachable
32766:  from all lookup main
32767:  from all lookup default

With this rule in place and all firewall chains in all tables empty and policy ACCEPT, I can still ping remote hosts just fine as any user.

If I then add a rule to mark all packets and try to ping Google, it fails as expected

# iptables -t mangle -F OUTPUT
# iptables -t mangle -A OUTPUT -j MARK --set-mark 0x01
# ping www.google.com
ping: unknown host www.google.com

If I restrict this rule to the VPN user, it seems to have no effect.

# iptables -t mangle -F OUTPUT
# iptables -t mangle -A OUTPUT -j MARK --set-mark 0x01 -m owner --uid-owner vpn
# sudo -u vpn ping www.google.com
PING www.google.com (173.194.78.103) 56(84) bytes of data.
64 bytes from wg-in-f103.1e100.net (173.194.78.103): icmp_req=1 ttl=50 time=36.6 ms

But it appears that the mark is being set, because if I add a rule to drop these packets in the firewall, it works:

# iptables -t mangle -A OUTPUT -j DROP -m mark --mark 0x01
# sudo -u vpn ping www.google.com
ping: unknown host www.google.com

What am I missing? Thanks!