implement COMMIT at the end of iptables-save

parser.go

@@ -64,6 +64,12 @@ func (d Policy) String() string {
 	return fmt.Sprintf("%s%s %s", prefix, d.Chain, d.Action)
 }
 
+type Commit struct{}
+
+func (c Commit) String() string {
+	return "COMMIT"
+}
+
 // Rule represents a rule in an iptables dump. Normally the start with -A.
 // The parser treats the -A flag like any other flag, thus does not require
 // the -A flag as the leading flag.
@@ -373,6 +379,8 @@ func (p *Parser) Parse() (l Line, err error) {
 		return p.parseRule()
 	case COLON:
 		return p.parseDefault(p.s.scanLine())
+	case COMMIT:
+		return Commit{}, nil
 	case EOF:
 		return nil, io.EOF // ErrEOF
 	case NEWLINE:

parser_test.go

@@ -1224,7 +1224,7 @@ func TestParser_ParseMore(t *testing.T) {
 			},
 		},
 		{
-			name: "Parse some rules from iptables -S",
+			name: "Parse some rules from iptables -S as well as iptables-save",
 			s: `-P INPUT ACCEPT
 			-P FORWARD DROP
 			-P OUTPUT ACCEPT
@@ -1233,7 +1233,8 @@ func TestParser_ParseMore(t *testing.T) {
 			-N DOCKER-ISOLATION-STAGE-2
 			-N DOCKER-USER
 			-A FORWARD -j DOCKER-USER
-			-A FORWARD -j DOCKER-ISOLATION-STAGE-1`,
+			-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+			COMMIT`,
 			r: []interface{}{
 				Policy{
 					UserDefined: &_false,
@@ -1278,6 +1279,7 @@ func TestParser_ParseMore(t *testing.T) {
 						Name: "DOCKER-ISOLATION-STAGE-1",
 					},
 				},
+				Commit{},
 			},
 		},
 	} {

scanner.go

@@ -27,7 +27,11 @@ func (s *scanner) scan() (tok Token, lit string) {
 		return s.scanWhitespace()
 	case isLetter(ch) || isDigit(ch):
 		s.unread()
-		return s.scanIdent()
+		tok, lit := s.scanIdent()
+		if lit == "COMMIT" {
+			return COMMIT, "COMMIT"
+		}
+		return tok, lit
 	}
 
 	// Otherwise read the individual character.

token.go

@@ -10,6 +10,7 @@ const (
 
 	// Literals
 	IDENT // main
+	COMMIT
 
 	// Misc characters
 	COLON     // :