I know that the rule in KUBE-MARK-MASQ chain is a mark rule:

iptables -t nat -nvL KUBE-MARK-MASQ

Chain KUBE-MARK-MASQ (123 references)
 pkts bytes target     prot opt in     out     source               destination
   16   960 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK or 0x4000

It's to mark a packet and then the packets can do SNAT in KUBE-POSTROUTING chain,the source IP can be changed to node's ip.But what confused me is that why there are so many different KUBE-MARK-MASQ rules in k8s chains?For example,in KUBE-SERVICES chain,there are lots of KUBE-MARK-MASQ rules.What are they marking for?The pod..Or else?

Let's see an example:

KUBE-MARK-MASQ  tcp  --  *      *      !10.244.0.0/16        10.96.0.10           /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153

It's a kube-dns's clusterip rule.My pods' CIDR is 10.244.0.0/16.Why the rule's source ip has ! ?If a pod in the node want to send a packet outbound,it shouldn't have !,then it can do SNAT in KUBE-POSTROUTING to change to node's ip,is my understanding wrong?

And there are also other KUBE-MARK-MASQ rule in KUBE-SEP-XXX chain:

KUBE-MARK-MASQ  all  --  *      *       10.244.2.162         0.0.0.0/0            /* default/echo-load-balance: */
DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/echo-load-balance: */ tcp to:10.244.2.162:8080

The pod's ip is 10.244.2.162,and the rule source's ip matches pod's ip.What is it used for?

And in KUBE-FW-XXX chain:

KUBE-MARK-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/echo-load-balance: loadbalancer IP */
KUBE-SVC-P24HJGZOUZD6OJJ7  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/echo-load-balance: loadbalancer IP */
KUBE-MARK-DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/echo-load-balance: loadbalancer IP */

Why the source's ip here is 0.0.0.0/0?What is it used for?