Marking packets in iptables based on output interface

I have an unusual setup on my server. We have three outgoing ethernet ports, all connected to a single bridge interface that we split into two VLANs:

ip link add veth type bridge
ip link set veth address 01:23:45:67:89:0A
ip link set dev eth1 master veth
ip link set dev eth2 master veth
ip link set dev eth3 master veth
[...]
ip link add veth name veth.10 type vlan id 10
ip link add veth name veth.20 type vlan id 20
ip link add veth.20-local link veth.20 type macvlan mode bridge
[...]
docker network create --driver=macvlan --subnet=192.168.XXX.0/24 --opt com.docker.network.driver.mpu=1500 --gateway 192.168.XXX.1 --opt parent=veth.20-local dockerbr20

I have a docker image inside my server connected to the veth.20 address, that is only allowed to communicate over veth.20. There are routing and forwarding rules in the rest of the network that allow the docker image to communicate to a few select destinations outside of that VLAN. I would like to add an iptables rule covering outgoing packets that leave my server out of the veth.20 interface, regardless of their destination. (Some packets must stay within the veth.20 interface; some can be routed over to other VLANS.) The following rules have been attempted, and for whatever reason, do not appear to mark packets leaving over veth.20 from the docker container:

-shell
iptables -A POSTROUTING -t mangle -o veth.20 -j MARK --set-mark 3
iptables -A PREROUTING -t mangle -i veth.20 -j MARK --set-mark 3
iptables -A POSTROUTING -t nat -o veth.20 -j MARK --set-mark 3
iptables -A PREROUTING -t nat -i veth.20 -j MARK --set-mark 3
iptables -A OUTPUT -t mangle -o veth.20 -j MARK --set-mark 3
iptables -A INPUT -t mangle -i veth.20 -j MARK --set-mark 3
iptables -A FORWARD -i veth.20 -j MARK --set-mark 3
iptables -A FORWARD -o veth.20 -j MARK --set-mark 3

That is, iptables -L -n -v -t mangle and iptables -L -n -v -t nat do not show any of these rules being applied to outgoing packets from veth.20 to a host on another VLAN. I have confirmed, through ifconfig, that all the packets from the docker image are leaving the server over veth.20; the

-shell
iptables -A OUTPUT -t mangle -o veth.20 -j MARK --set-mark 3

rule applies when I send packets to external machines on VLAN 20, from the server or the docker image; but when I send packets out over the veth.20 interface from docker that are routed to an external VLAN 10 or VLAN 30 address (not pictured), no marks are applied. I feel like this should be a simple problem, but nothing I've tried has been able to mark based on the interface that the packet uses to leave the box. What am I missing?