How iptables keeps insertion and list consistent

I have a Golang project that automates the execution of the iptables command to modify the network, and at the same time needs to do checks to determine if it has been filled successfully.

I listed the rules via the iptables -S command, but there were some inconsistencies.

For examples:

iptables -t nat -A PREROUTING -d $INET_IP -p tcp --dport 80 -j DNAT --to-destination $INNET_IP

The corresponding list results are as follows

# iptables -t nat -S PREROUTING
-A PREROUTING -d $INET_IP/32 -p tcp --dport 80 -j DNAT --to-destination $INNET_IP

The key difference is the extra /32, is there some parameter in iptables that simplifies the result of iptables -S to eliminate this type of difference? I really appreciate any help with this.

Internally it expects network addresses and stores them in the form address/netmask. /32 is the netmask of the single host; you only provided an IP without mask, which is permitted and treated as single host, so it added a single host mask /32 before adding a rule into kernel. This behaviour is documented.

During list operation you just saw its internal representation with netmask as it is stored in the kernel.

It is not the key difference in any way and you should just ignore it. This is not unique feature of iptables; some other firewalls from other systems look the same in this respect.