Comment 0 for bug 1925789

Scenario:
I have a router with 2 internal interfaces.
each port of router is assigned to a different firewall group (port1 in firewall group fg1, port2 in firewall group fg2).
If I remove port1 from fg1, l3 agent remove port1 rules from iptables filter chain.
But then if I insert again port1 in fg1, port1 firewall rules are inserted at the end of iptables filter chain.

#initial
#port1 in fg1, port2 in fg2
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
:neutron-l3-agent-scope - [0:0]
:neutron-l3-agent-accepted - [0:0]
:neutron-l3-agent-dropped - [0:0]
:neutron-l3-agent-rejected - [0:0]
:neutron-l3-agent-fwaas-defau - [0:0]
:neutron-l3-agent-iv4a43875cf - [0:0]
:neutron-l3-agent-ov4a43875cf - [0:0]
:neutron-l3-agent-iv451003ddf - [0:0]
:neutron-l3-agent-ov451003ddf - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv4a43875cf -s 10.170.0.0/24 -d 10.160.0.0/24 -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
COMMIT

#remove port1 from fg1
iptables-save
....
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
COMMIT

#insert again port1 in fg1
iptables-save
....
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
-A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT