What would you like to be added:
Right now kube-proxy marks and matches traffic bound for service VIPs with nfmark (iptables MARK) rules. I would like to be able to mark and match VIP traffic using ctmark(iptables CONNMARK) rules instead.

Why is this needed:
One issue with using nfmarks is that they persist through packet encapsulation for tunnel devices. This means that for traffic to a VIP over a tunnel device (eg vxlan or ip in ip) both the encapsulated and encapsulating packet will be marked for MASQUERADE. This MASQUERADE is an incorrect behavior on the outer packet, but is usually benign; the correct behavior would be for the encapsulating traffic to just use the route on the host with whatever source is set on that route. The issue is that MASQUERADE overrides the use of route source hints which are used in some host ECMP setups or hosts where multiple addresses are assigned on a single interface.

If this is something there'd be openness to I can probably put together a PR for it.