Comment 5 for bug 1447651

2018-08-27 10:07:32.989 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :neutron-vpn-agen-FORWARD
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :POSTROUTING ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :OUTPUT ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :FORWARD ACCEPT [0:0]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :INPUT ACCEPT [1675:120600]
2018-08-27 10:07:32.991 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :PREROUTING ACCEPT [1676:120664]

def _weed_out_removes(line):
    # remove any rules or chains from the filter that were slated
    # for removal
    if line.startswith(':'):
        chain = line[1:]
        if chain in table.remove_chains:
            table.remove_chains.remove(chain)
            return False
        else:
            if line in table.remove_rules:
                table.remove_rules.remove(line)
                return False
    # Leave it alone
    return True

You can see that when you get the iptables rule name in the code “line[1:]”,
there is a count after the chain name, and the count value changes,
which invalidates the judgment