Iptables and Port Scanning and Recent module

Iptables and Port Scanning and Recent module

I'm trying to write an adaptive firewall using iptables, and am not clear
on how the recent module is working. For example, see
http://blog.zioup.org/2008/iptables_recent/
Snippet from my iptables:
...input stuff, established, etc...
-A INPUT -m conntrack --ctstate NEW -j limiter
... more input stuff...
# very end of chain, nothing matches. Likely unauthorized port
-A INPUT -m conntrack --ctstate NEW -m recent --name PORTSCAN --set
# limiter table
-A limiter -m recent --update --name PORTSCAN
-A limiter -m recent --rcheck --name PORTSCAN --hitcount 10 --seconds 300
-j LOG
This setup works. Watching /proc/net/xt_recent/PORTSCAN, running nmap on a
closed port adds my ip, and then trying to connect to, say, port 80 (which
is open) updates the list. Additionally, if I connect to just open ports,
I am not added to the list.
My question is, when I try to combine the two lines in the limiter table
into one, it no longer works.
#-A limiter -m recent --update --name PORTSCAN
#-A limiter -m recent --rcheck --name PORTSCAN --hitcount 10 --seconds 300
-j LOG
-A limiter -m recent --update --name PORTSCAN --hitcount 10 --seconds 300
-j LOG
Scanning an open port after a closed one does not update the list
(although if the limit of 10 packets/300 secs is overrun, it is logged).
My understanding was that the update line would be equivalent to the other
two. Why not?