I used -I by mistake since my chain doesn't exist in your example, sorry. Actually I just did:
ipt -A tcp_packets -m recent --name ssh_knock --remove
which is just what you used but without the logging.

In my rules this is at the end of the tcp_packets/tcp_filter list before the default DROP.

Ensuring it comes after any 'accept' ports and 'established' should do what you want though.