iptables manpage updates

iptables manpage updates

[Jan Engelhardt]

The following changes since commit 3be599b62869f2437f499e2386008d73b8c2e71b:

  extensions: libarpt_standard.t: Add a rule with builtin option masks (2023-11-09 15:55:33 +0100)

are available in the Git repository at:

  https://git.inai.de/iptables master

for you to fetch changes up to 4b0c168a7b50032ba64f75565f73340fc447bfab:

  man: more backslash-encoding of characters (2023-11-13 11:28:19 +0100)

----------------------------------------------------------------
Jan Engelhardt (7):
      man: consistent use of \(em in Name sections
      man: remove lone .nh command
      man: repeal manual hyphenation
      man: stop putting non-terminals in italic
      man: copy synopsis markup from iptables.8 to arptables-nft.8
      man: limit targets for -P option synopsis
      man: more backslash-encoding of characters

 extensions/libxt_CONNMARK.man    |   4 +-
 extensions/libxt_NFLOG.man       |   2 +-
 iptables/arptables-nft-restore.8 |   4 +-
 iptables/arptables-nft-save.8    |   2 +-
 iptables/arptables-nft.8         | 154 +++++++++++++++++++++------------------
 iptables/ebtables-nft.8          |   4 +-
 iptables/iptables-apply.8.in     |   4 +-
 iptables/iptables.8.in           |   8 +-
 iptables/xtables-nft.8           |  16 ++--
 iptables/xtables-translate.8     |  32 ++++----
 utils/nfbpf_compile.8.in         |   2 +-
 utils/nfnl_osf.8.in              |   2 +-
 12 files changed, 123 insertions(+), 111 deletions(-)

[PATCH 1/7] man: consistent use of \(em in Name sections

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/arptables-nft-restore.8 | 2 +-
 iptables/arptables-nft-save.8    | 2 +-
 iptables/arptables-nft.8         | 2 +-
 iptables/ebtables-nft.8          | 2 +-
 iptables/iptables-apply.8.in     | 2 +-
 utils/nfbpf_compile.8.in         | 2 +-
 utils/nfnl_osf.8.in              | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 09d9082c..0e525fe3 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -20,7 +20,7 @@
 .\"
 .\"
 .SH NAME
-arptables-restore \- Restore ARP Tables (nft-based)
+arptables-restore \(em Restore ARP Tables (nft-based)
 .SH SYNOPSIS
 \fBarptables\-restore
 .SH DESCRIPTION
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
index 905e5985..e9171d5d 100644
--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
@@ -20,7 +20,7 @@
 .\"
 .\"
 .SH NAME
-arptables-save \- dump arptables rules to stdout (nft-based)
+arptables-save \(em dump arptables rules to stdout (nft-based)
 .SH SYNOPSIS
 \fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
 .P
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index ea31e084..659a2542 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -22,7 +22,7 @@
 .\"
 .\"
 .SH NAME
-arptables \- ARP table administration (nft-based)
+arptables \(em ARP table administration (nft-based)
 .SH SYNOPSIS
 .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
 .br
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index ca12e2df..9fc845a1 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -24,7 +24,7 @@
 .\"     
 .\"
 .SH NAME
-ebtables \- Ethernet bridge frame table administration (nft-based)
+ebtables \(em Ethernet bridge frame table administration (nft-based)
 .SH SYNOPSIS
 .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
 .br
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index f0ed4e5f..5485199c 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -6,7 +6,7 @@
 .\" disable hyphenation
 .nh
 .SH NAME
-iptables-apply \- a safer way to update iptables remotely
+iptables-apply \(em a safer way to update iptables remotely
 .SH SYNOPSIS
 \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
 .SH "DESCRIPTION"
diff --git a/utils/nfbpf_compile.8.in b/utils/nfbpf_compile.8.in
index d02979a5..b19d4fbb 100644
--- a/utils/nfbpf_compile.8.in
+++ b/utils/nfbpf_compile.8.in
@@ -1,7 +1,7 @@
 .TH NFBPF_COMPILE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
 
 .SH NAME
-nfbpf_compile \- generate bytecode for use with xt_bpf
+nfbpf_compile \(em generate bytecode for use with xt_bpf
 .SH SYNOPSIS
 
 .ad l
diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in
index 140b5c3f..7ade705a 100644
--- a/utils/nfnl_osf.8.in
+++ b/utils/nfnl_osf.8.in
@@ -1,7 +1,7 @@
 .TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
 
 .SH NAME
-nfnl_osf \- OS fingerprint loader utility
+nfnl_osf \(em OS fingerprint loader utility
 .SH SYNOPSIS
 
 .ad l
-- 
2.42.1

[PATCH 2/7] man: remove lone .nh command

[Jan Engelhardt]

No other manpage files use .nh, and I cannot see a reason
iptables-apply would exceptionally need it.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/iptables-apply.8.in | 2 --
 1 file changed, 2 deletions(-)

diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index 5485199c..33fd79fe 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -3,8 +3,6 @@
 .\"      Date: May 10, 2010
 .\"
 .TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
-.\" disable hyphenation
-.nh
 .SH NAME
 iptables-apply \(em a safer way to update iptables remotely
 .SH SYNOPSIS
-- 
2.42.1

[PATCH 3/7] man: repeal manual hyphenation

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/arptables-nft.8 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 659a2542..84775a86 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -303,8 +303,8 @@ Mangles Destination MAC Address to given value.
 Target of ARP mangle operation
 .BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
 .SS CLASSIFY
-This  module  allows you to set the skb->priority value (and thus clas-
-sify the packet into a specific CBQ class).
+This module allows you to set the skb->priority value (and thus
+classify the packet into a specific CBQ class).
 
 .TP
 .BR "--set-class major:minor"
-- 
2.42.1

[PATCH 4/7] man: stop putting non-terminals in italic

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/iptables.8.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index ecaa5553..90417e89 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -49,11 +49,11 @@ iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and N
 .PP
 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
 .PP
-rule-specification = [\fImatches...\fP] [\fItarget\fP]
+rule-specification := [matches...] [target]
 .PP
-match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+match := \fB\-m\fP \fImatchname\fP [per-match-options]
 .PP
-target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+target := \fB\-j\fP \fItargetname\fP [per-target-options]
 .SH DESCRIPTION
 \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
 tables of IPv4 and IPv6 packet
-- 
2.42.1

[PATCH 5/7] man: copy synopsis markup from iptables.8 to arptables-nft.8

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/arptables-nft.8 | 42 ++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 84775a86..8b403ee8 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -24,20 +24,34 @@
 .SH NAME
 arptables \(em ARP table administration (nft-based)
 .SH SYNOPSIS
-.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
-.br
-.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
-.br
-.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
-.br
-.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
-.br
-.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
-.br
-.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
-.br
-.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
-
+\fBarptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A|\-D\fP} \fIchain\fP
+\fIrule-specification\fP [options...]
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
+\fIrule-specification\fP
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
+rule-specification\fP
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
+[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+.PP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name
+new-chain-name\fP
+.PP
+rule-specification := [matches...] [target]
+.PP
+match := \fB\-m\fP \fImatchname\fP [per-match-options]
+.PP
+target := \fB\-j\fP \fItargetname\fP [per-target-options]
 .SH DESCRIPTION
 .B arptables
 is a user space tool, it is used to set up and maintain the
-- 
2.42.1

[PATCH 6/7] man: limit targets for -P option synopsis

[Jan Engelhardt]

Do not suggest that -P could be used with arbitrary targets.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/arptables-nft.8 | 2 +-
 iptables/iptables.8.in   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 8b403ee8..444b0015 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -42,7 +42,7 @@ rule-specification\fP
 .PP
 \fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
 .PP
-\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+\fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain policy\fP
 .PP
 \fBarptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name
 new-chain-name\fP
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 90417e89..21fb891d 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -45,7 +45,7 @@ iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and N
 .PP
 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
 .PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain policy\fP
 .PP
 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
 .PP
-- 
2.42.1

[PATCH 7/7] man: more backslash-encoding of characters

[Jan Engelhardt]

"-" is the dash, "\-" is minus as we know, but groff lists some more
characters: "^" is "modifier circumflex" and "~" is "modifier tilde",
which, too, need to be escaped for our use.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_CONNMARK.man    |   4 +-
 extensions/libxt_NFLOG.man       |   2 +-
 iptables/arptables-nft-restore.8 |   2 +-
 iptables/arptables-nft.8         | 108 +++++++++++++++----------------
 iptables/ebtables-nft.8          |   2 +-
 iptables/xtables-nft.8           |  16 ++---
 iptables/xtables-translate.8     |  32 ++++-----
 7 files changed, 83 insertions(+), 83 deletions(-)

diff --git a/extensions/libxt_CONNMARK.man b/extensions/libxt_CONNMARK.man
index 93179239..742df11d 100644
--- a/extensions/libxt_CONNMARK.man
+++ b/extensions/libxt_CONNMARK.man
@@ -8,7 +8,7 @@ Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark.
 Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
 masks. The new nfmark value is determined as follows:
 .IP
-ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
+ctmark = (ctmark & \~ctmask) \^ (nfmark & nfmask)
 .IP
 i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the
 nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
@@ -18,7 +18,7 @@ nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
 Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
 masks. The new ctmark value is determined as follows:
 .IP
-nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP);
+nfmark = (nfmark & \~\fInfmask\fP) \^ (ctmark & \fIctmask\fP);
 .IP
 i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the
 ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to
diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
index 361311b2..43629893 100644
--- a/extensions/libxt_NFLOG.man
+++ b/extensions/libxt_NFLOG.man
@@ -9,7 +9,7 @@ may subscribe to the group to receive the packets. Like LOG, this is a
 non-terminating target, i.e. rule traversal continues at the next rule.
 .TP
 \fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (0\(en2^16\-1) to which packets are (only applicable for
+The netlink group (0\(en2\^16\-1) to which packets are (only applicable for
 nfnetlink_log). The default value is 0.
 .TP
 \fB\-\-nflog\-prefix\fP \fIprefix\fP
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 0e525fe3..596ca1c9 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -22,7 +22,7 @@
 .SH NAME
 arptables-restore \(em Restore ARP Tables (nft-based)
 .SH SYNOPSIS
-\fBarptables\-restore
+\fBarptables\-restore\fP
 .SH DESCRIPTION
 .PP
 .B arptables-restore
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 444b0015..2bee9f2b 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -102,11 +102,11 @@ section of this man page.
 There is only one ARP table in the Linux
 kernel.  The table is
 .BR filter.
-You can drop the '-t filter' argument to the arptables command.
-The -t argument must be the
+You can drop the '\-t filter' argument to the arptables command.
+The \-t argument must be the
 first argument on the arptables command line, if used.
 .TP
-.B "-t, --table"
+.B "\-t, \-\-table"
 .br
 .BR filter ,
 is the only table and contains two built-in chains:
@@ -123,79 +123,79 @@ are commands, miscellaneous commands, rule-specifications, match-extensions,
 and watcher-extensions.
 .SS COMMANDS
 The arptables command arguments specify the actions to perform on the table
-defined with the -t argument.  If you do not use the -t argument to name
+defined with the \-t argument. If you do not use the \-t argument to name
 a table, the commands apply to the default filter table.
 With the exception of the
-.B "-Z"
+.B "\-Z"
 command, only one command may be used on the command line at a time.
 .TP
-.B "-A, --append"
+.B "\-A, \-\-append"
 Append a rule to the end of the selected chain.
 .TP
-.B "-D, --delete"
+.B "\-D, \-\-delete"
 Delete the specified rule from the selected chain. There are two ways to
 use this command. The first is by specifying an interval of rule numbers
 to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
-details about using negative numbers, see the -I command. The second usage is by
+details about using negative numbers, see the \-I command. The second usage is by
 specifying the complete rule as it would have been specified when it was added.
 .TP
-.B "-I, --insert"
+.B "\-I, \-\-insert"
 Insert the specified rule into the selected chain at the specified rule number.
 If the current number of rules equals N, then the specified number can be
-between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
+between \-N and N+1. For a positive number i, it holds that i and i\-N\-1 specify the
 same place in the chain where the rule should be inserted. The number 0 specifies
 the place past the last rule in the chain and using this number is therefore
-equivalent with using the -A command.
+equivalent with using the \-A command.
 .TP
-.B "-R, --replace"
+.B "\-R, \-\-replace"
 Replaces the specified rule into the selected chain at the specified rule number.
 If the current number of rules equals N, then the specified number can be
 between 1 and N. i specifies the place in the chain where the rule should be replaced.
 .TP
-.B "-P, --policy"
+.B "\-P, \-\-policy"
 Set the policy for the chain to the given target. The policy can be
 .BR ACCEPT ", " DROP " or " RETURN .
 .TP
-.B "-F, --flush"
+.B "\-F, \-\-flush"
 Flush the selected chain. If no chain is selected, then every chain will be
 flushed. Flushing the chain does not change the policy of the
 chain, however.
 .TP
-.B "-Z, --zero"
+.B "\-Z, \-\-zero"
 Set the counters of the selected chain to zero. If no chain is selected, all the counters
 are set to zero. The
-.B "-Z"
+.B "\-Z"
 command can be used in conjunction with the 
-.B "-L"
+.B "\-L"
 command.
 When both the
-.B "-Z"
+.B "\-Z"
 and
-.B "-L"
+.B "\-L"
 commands are used together in this way, the rule counters are printed on the screen
 before they are set to zero.
 .TP
-.B "-L, --list"
+.B "\-L, \-\-list"
 List all rules in the selected chain. If no chain is selected, all chains
 are listed.
 .TP
-.B "-N, --new-chain"
+.B "\-N, \-\-new-chain"
 Create a new user-defined chain with the given name. The number of
 user-defined chains is unlimited. A user-defined chain name has maximum
 length of 31 characters.
 .TP
-.B "-X, --delete-chain"
+.B "\-X, \-\-delete-chain"
 Delete the specified user-defined chain. There must be no remaining references
 to the specified chain, otherwise
 .B arptables
 will refuse to delete it. If no chain is specified, all user-defined
 chains that aren't referenced will be removed.
 .TP
-.B "-E, --rename-chain"
+.B "\-E, \-\-rename\-chain"
 Rename the specified chain to a new name.  Besides renaming a user-defined
 chain, you may rename a standard chain name to a name that suits your
 taste. For example, if you like PREBRIDGING more than PREROUTING,
-then you can use the -E command to rename the PREROUTING chain. If you do
+then you can use the \-E command to rename the PREROUTING chain. If you do
 rename one of the standard
 .B arptables
 chain names, please be sure to mention
@@ -211,13 +211,13 @@ kernel table.
 
 .SS MISCELLANOUS COMMANDS
 .TP
-.B "-V, --version"
+.B "\-V, \-\-version"
 Show the version of the arptables userspace program.
 .TP
-.B "-h, --help"
+.B "\-h, \-\-help"
 Give a brief description of the command syntax.
 .TP
-.BR "-j, --jump " "\fItarget\fP"
+.BR "\-j, \-\-jump " "\fItarget\fP"
 The target of the rule. This is one of the following values:
 .BR ACCEPT ,
 .BR DROP ,
@@ -227,7 +227,7 @@ a target extension (see
 .BR "TARGET EXTENSIONS" ")"
 or a user-defined chain name.
 .TP
-.BI "-c, --set-counters " "PKTS BYTES"
+.BI "\-c, \-\-set-counters " "PKTS BYTES"
 This enables the administrator to initialize the packet and byte
 counters of a rule (during
 .B INSERT,
@@ -241,38 +241,38 @@ in the add and delete commands). A "!" option before the specification
 inverts the test for that specification. Apart from these standard rule 
 specifications there are some other command line arguments of interest.
 .TP
-.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+.BR "\-s, \-\-source\-ip " "[!] \fIaddress\fP[/\fImask]\fP"
 The Source IP specification.
 .TP 
-.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+.BR "\-d, \-\-destination\-ip " "[!] \fIaddress\fP[/\fImask]\fP"
 The Destination IP specification.
 .TP 
-.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+.BR "\-\-source\-mac " "[!] \fIaddress\fP[/\fImask\fP]"
 The source mac address. Both mask and address are written as 6 hexadecimal
 numbers separated by colons.
 .TP
-.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+.BR "\-\-destination\-mac " "[!] \fIaddress\fP[/\fImask\fP]"
 The destination mac address. Both mask and address are written as 6 hexadecimal
 numbers separated by colons.
 .TP 
-.BR "-i, --in-interface " "[!] \fIname\fP"
+.BR "\-i, \-\-in\-interface " "[!] \fIname\fP"
 The interface via which a frame is received (for the
 .B INPUT
 chain). The flag
-.B --in-if
+.B \-\-in\-if
 is an alias for this option.
 .TP
-.BR "-o, --out-interface " "[!] \fIname\fP"
+.BR "\-o, \-\-out-interface " "[!] \fIname\fP"
 The interface via which a frame is going to be sent (for the
 .B OUTPUT
 chain). The flag
-.B --out-if
+.B \-\-out\-if
 is an alias for this option.
 .TP
-.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
+.BR "\-l, \-\-h\-length " "\fIlength\fP[/\fImask\fP]"
 The hardware length (nr of bytes)
 .TP
-.BR "--opcode " "\fIcode\fP[/\fImask\fP]
+.BR "\-\-opcode " "\fIcode\fP[/\fImask\fP]
 The operation code (2 bytes). Available values are:
 .BR 1 = Request
 .BR 2 = Reply
@@ -284,63 +284,63 @@ The operation code (2 bytes). Available values are:
 .BR 8 = InARP_Request
 .BR 9 = ARP_NAK .
 .TP
-.BR "--h-type " "\fItype\fP[/\fImask\fP]"
+.BR "\-\-h\-type " "\fItype\fP[/\fImask\fP]"
 The hardware type (2 bytes, hexadecimal). Available values are:
 .BR 1 = Ethernet .
 .TP
-.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
+.BR "\-\-proto\-type " "\fItype\fP[/\fImask\fP]"
 The protocol type (2 bytes). Available values are:
 .BR 0x800 = IPv4 .
 
 .SS TARGET-EXTENSIONS
 .B arptables
 extensions are precompiled into the userspace tool. So there is no need
-to explicitly load them with a -m option like in
+to explicitly load them with a \-m option like in
 .BR iptables .
 However, these
 extensions deal with functionality supported by supplemental kernel modules.
 .SS mangle
 .TP
-.BR "--mangle-ip-s IP address"
+.BR "\-\-mangle\-ip\-s IP address"
 Mangles Source IP Address to given value.
 .TP
-.BR "--mangle-ip-d IP address"
+.BR "\-\-mangle\-ip\-d IP address"
 Mangles Destination IP Address to given value.
 .TP
-.BR "--mangle-mac-s MAC address"
+.BR "\-\-mangle\-mac\-s MAC address"
 Mangles Source MAC Address to given value.
 .TP
-.BR "--mangle-mac-d MAC address"
+.BR "\-\-mangle\-mac\-d MAC address"
 Mangles Destination MAC Address to given value.
 .TP
-.BR "--mangle-target target "
+.BR "\-\-mangle\-target target "
 Target of ARP mangle operation
-.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " \(em default is " ACCEPT ).
 .SS CLASSIFY
-This module allows you to set the skb->priority value (and thus
+This module allows you to set the skb\->priority value (and thus
 classify the packet into a specific CBQ class).
 
 .TP
-.BR "--set-class major:minor"
+.BR "\-\-set\-class major:minor"
 
 Set the major and minor  class  value.  The  values  are  always
 interpreted as hexadecimal even if no 0x prefix is given.
 
 .SS MARK
-This  module  allows you to set the skb->mark value (and thus classify
+This  module  allows you to set the skb\->mark value (and thus classify
 the packet by the mark in u32)
 
 .TP
-.BR "--set-mark mark"
+.BR "\-\-set\-mark mark"
 Set the mark value. The  values  are  always
 interpreted as hexadecimal even if no 0x prefix is given
 
 .TP
-.BR "--and-mark mark"
+.BR "\-\-and\-mark mark"
 Binary AND the mark with bits.
 
 .TP
-.BR "--or-mark mark"
+.BR "\-\-or\-mark mark"
 Binary OR the mark with bits.
 
 .SH NOTES
@@ -357,6 +357,6 @@ chain in
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
 .SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables\-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
 .PP
 .BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 9fc845a1..641008cf 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -858,7 +858,7 @@ Log with the default logging options
 .TP
 .B --nflog-group "\fInlgroup\fP"
 .br
-The netlink group (1\(en2^32\-1) to which packets are (only applicable for
+The netlink group (1\(en2\^32\-1) to which packets are (only applicable for
 nfnetlink_log). The default value is 1.
 .TP
 .B --nflog-prefix "\fIprefix\fP"
diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8
index 702bf954..3ced29ca 100644
--- a/iptables/xtables-nft.8
+++ b/iptables/xtables-nft.8
@@ -105,15 +105,15 @@ One basic example is creating the skeleton ruleset in nf_tables from the
 xtables-nft tools, in a fresh machine:
 
 .nf
-	root@machine:~# iptables\-nft \-L
+	root@machine:\~# iptables\-nft \-L
 	[...]
-	root@machine:~# ip6tables\-nft \-L
+	root@machine:\~# ip6tables\-nft \-L
 	[...]
-	root@machine:~# arptables\-nft \-L
+	root@machine:\~# arptables\-nft \-L
 	[...]
-	root@machine:~# ebtables\-nft \-L
+	root@machine:\~# ebtables\-nft \-L
 	[...]
-	root@machine:~# nft list ruleset
+	root@machine:\~# nft list ruleset
 	table ip filter {
 		chain INPUT {
 			type filter hook input priority 0; policy accept;
@@ -175,12 +175,12 @@ To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
 you would use:
 
 .nf
-	root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables
-	root@machine:~# iptables\-nft\-restore myruleset   # writes to nf_tables
+	root@machine:\~# iptables\-legacy\-save > myruleset # reads from x_tables
+	root@machine:\~# iptables\-nft\-restore myruleset   # writes to nf_tables
 .fi
 or
 .nf
-	root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less
+	root@machine:\~# iptables\-legacy\-save | iptables\-translate\-restore | less
 .fi
 
 to see how rules would look like in the nft
diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8
index a048e8c9..ba16c525 100644
--- a/iptables/xtables-translate.8
+++ b/iptables/xtables-translate.8
@@ -38,15 +38,15 @@ ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP and \fBebtables(8)\fP to
 The available commands are:
 
 .IP \[bu] 2
-iptables-translate
+iptables\-translate
 .IP \[bu]
-iptables-restore-translate
+iptables\-restore\-translate
 .IP \[bu] 2
-ip6tables-translate
+ip6tables\-translate
 .IP \[bu]
-ip6tables-restore-translate
+ip6tables\-restore\-translate
 .IP \[bu] 2
-ebtables-translate
+ebtables\-translate
 
 .SH USAGE
 They take as input the original
@@ -69,38 +69,38 @@ Basic operation examples.
 Single command translation:
 
 .nf
-root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+root@machine:\~# iptables\-translate \-A INPUT \-p tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT
 nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
 
-root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
+root@machine:\~# ip6tables\-translate \-A FORWARD \-i eth0 \-o eth3 \-p udp \-m multiport \-\-dports 111,222 \-j ACCEPT
 nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
 .fi
 
 Whole ruleset translation:
 
 .nf
-root@machine:~# iptables-save > save.txt
-root@machine:~# cat save.txt
-# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
+root@machine:\~# iptables\-save > save.txt
+root@machine:\~# cat save.txt
+# Generated by iptables\-save v1.6.0 on Sat Dec 24 14:26:40 2016
 *filter
 :INPUT ACCEPT [5166:1752111]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [5058:628693]
--A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+\-A FORWARD \-p tcp \-m tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT
 COMMIT
 # Completed on Sat Dec 24 14:26:40 2016
 
-root@machine:~# iptables-restore-translate -f save.txt
-# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
+root@machine:\~# iptables\-restore\-translate \-f save.txt
+# Translated by iptables\-restore\-translate v1.6.0 on Sat Dec 24 14:26:59 2016
 add table ip filter
 add chain ip filter INPUT { type filter hook input priority 0; }
 add chain ip filter FORWARD { type filter hook forward priority 0; }
 add chain ip filter OUTPUT { type filter hook output priority 0; }
 add rule ip filter FORWARD tcp dport 22 ct state new counter accept
 
-root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
-root@machine:~# nft -f ruleset.nft
-root@machine:~# nft list ruleset
+root@machine:\~# iptables\-restore\-translate \-f save.txt > ruleset.nft
+root@machine:\~# nft \-f ruleset.nft
+root@machine:\~# nft list ruleset
 table ip filter {
 	chain INPUT {
 		type filter hook input priority 0; policy accept;
-- 
2.42.1

Re: iptables manpage updates

[Florian Westphal]

Jan Engelhardt <jengelh@inai.de> wrote:
> 
> The following changes since commit 3be599b62869f2437f499e2386008d73b8c2e71b:
> 
>   extensions: libarpt_standard.t: Add a rule with builtin option masks (2023-11-09 15:55:33 +0100)
> 
> are available in the Git repository at:
> 
>   https://git.inai.de/iptables master

Also pulled, thanks Jan.