man: more backslash-encoding of characters

"-" is the dash, "\-" is minus as we know, but groff lists some more
characters: "^" is "modifier circumflex" and "~" is "modifier tilde",
which, too, need to be escaped for our use.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>

5 files changed, 80 insertions, 80 deletions

diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 0e525fe3..596ca1c9 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -22,7 +22,7 @@
 .SH NAME
 arptables-restore \(em Restore ARP Tables (nft-based)
 .SH SYNOPSIS
-\fBarptables\-restore
+\fBarptables\-restore\fP
 .SH DESCRIPTION
 .PP
 .B arptables-restore
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 444b0015..2bee9f2b 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -102,11 +102,11 @@ section of this man page.
 There is only one ARP table in the Linux
 kernel.  The table is
 .BR filter.
-You can drop the '-t filter' argument to the arptables command.
-The -t argument must be the
+You can drop the '\-t filter' argument to the arptables command.
+The \-t argument must be the
 first argument on the arptables command line, if used.
 .TP
-.B "-t, --table"
+.B "\-t, \-\-table"
 .br
 .BR filter ,
 is the only table and contains two built-in chains:
@@ -123,79 +123,79 @@ are commands, miscellaneous commands, rule-specifications, match-extensions,
 and watcher-extensions.
 .SS COMMANDS
 The arptables command arguments specify the actions to perform on the table
-defined with the -t argument.  If you do not use the -t argument to name
+defined with the \-t argument. If you do not use the \-t argument to name
 a table, the commands apply to the default filter table.
 With the exception of the
-.B "-Z"
+.B "\-Z"
 command, only one command may be used on the command line at a time.
 .TP
-.B "-A, --append"
+.B "\-A, \-\-append"
 Append a rule to the end of the selected chain.
 .TP
-.B "-D, --delete"
+.B "\-D, \-\-delete"
 Delete the specified rule from the selected chain. There are two ways to
 use this command. The first is by specifying an interval of rule numbers
 to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
-details about using negative numbers, see the -I command. The second usage is by
+details about using negative numbers, see the \-I command. The second usage is by
 specifying the complete rule as it would have been specified when it was added.
 .TP
-.B "-I, --insert"
+.B "\-I, \-\-insert"
 Insert the specified rule into the selected chain at the specified rule number.
 If the current number of rules equals N, then the specified number can be
-between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
+between \-N and N+1. For a positive number i, it holds that i and i\-N\-1 specify the
 same place in the chain where the rule should be inserted. The number 0 specifies
 the place past the last rule in the chain and using this number is therefore
-equivalent with using the -A command.
+equivalent with using the \-A command.
 .TP
-.B "-R, --replace"
+.B "\-R, \-\-replace"
 Replaces the specified rule into the selected chain at the specified rule number.
 If the current number of rules equals N, then the specified number can be
 between 1 and N. i specifies the place in the chain where the rule should be replaced.
 .TP
-.B "-P, --policy"
+.B "\-P, \-\-policy"
 Set the policy for the chain to the given target. The policy can be
 .BR ACCEPT ", " DROP " or " RETURN .
 .TP
-.B "-F, --flush"
+.B "\-F, \-\-flush"
 Flush the selected chain. If no chain is selected, then every chain will be
 flushed. Flushing the chain does not change the policy of the
 chain, however.
 .TP
-.B "-Z, --zero"
+.B "\-Z, \-\-zero"
 Set the counters of the selected chain to zero. If no chain is selected, all the counters
 are set to zero. The
-.B "-Z"
+.B "\-Z"
 command can be used in conjunction with the 
-.B "-L"
+.B "\-L"
 command.
 When both the
-.B "-Z"
+.B "\-Z"
 and
-.B "-L"
+.B "\-L"
 commands are used together in this way, the rule counters are printed on the screen
 before they are set to zero.
 .TP
-.B "-L, --list"
+.B "\-L, \-\-list"
 List all rules in the selected chain. If no chain is selected, all chains
 are listed.
 .TP
-.B "-N, --new-chain"
+.B "\-N, \-\-new-chain"
 Create a new user-defined chain with the given name. The number of
 user-defined chains is unlimited. A user-defined chain name has maximum
 length of 31 characters.
 .TP
-.B "-X, --delete-chain"
+.B "\-X, \-\-delete-chain"
 Delete the specified user-defined chain. There must be no remaining references
 to the specified chain, otherwise
 .B arptables
 will refuse to delete it. If no chain is specified, all user-defined
 chains that aren't referenced will be removed.
 .TP
-.B "-E, --rename-chain"
+.B "\-E, \-\-rename\-chain"
 Rename the specified chain to a new name.  Besides renaming a user-defined
 chain, you may rename a standard chain name to a name that suits your
 taste. For example, if you like PREBRIDGING more than PREROUTING,
-then you can use the -E command to rename the PREROUTING chain. If you do
+then you can use the \-E command to rename the PREROUTING chain. If you do
 rename one of the standard
 .B arptables
 chain names, please be sure to mention
@@ -211,13 +211,13 @@ kernel table.
 
 .SS MISCELLANOUS COMMANDS
 .TP
-.B "-V, --version"
+.B "\-V, \-\-version"
 Show the version of the arptables userspace program.
 .TP
-.B "-h, --help"
+.B "\-h, \-\-help"
 Give a brief description of the command syntax.
 .TP
-.BR "-j, --jump " "\fItarget\fP"
+.BR "\-j, \-\-jump " "\fItarget\fP"
 The target of the rule. This is one of the following values:
 .BR ACCEPT ,
 .BR DROP ,
@@ -227,7 +227,7 @@ a target extension (see
 .BR "TARGET EXTENSIONS" ")"
 or a user-defined chain name.
 .TP
-.BI "-c, --set-counters " "PKTS BYTES"
+.BI "\-c, \-\-set-counters " "PKTS BYTES"
 This enables the administrator to initialize the packet and byte
 counters of a rule (during
 .B INSERT,
@@ -241,38 +241,38 @@ in the add and delete commands). A "!" option before the specification
 inverts the test for that specification. Apart from these standard rule 
 specifications there are some other command line arguments of interest.
 .TP
-.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+.BR "\-s, \-\-source\-ip " "[!] \fIaddress\fP[/\fImask]\fP"
 The Source IP specification.
 .TP 
-.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+.BR "\-d, \-\-destination\-ip " "[!] \fIaddress\fP[/\fImask]\fP"
 The Destination IP specification.
 .TP 
-.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+.BR "\-\-source\-mac " "[!] \fIaddress\fP[/\fImask\fP]"
 The source mac address. Both mask and address are written as 6 hexadecimal
 numbers separated by colons.
 .TP
-.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+.BR "\-\-destination\-mac " "[!] \fIaddress\fP[/\fImask\fP]"
 The destination mac address. Both mask and address are written as 6 hexadecimal
 numbers separated by colons.
 .TP 
-.BR "-i, --in-interface " "[!] \fIname\fP"
+.BR "\-i, \-\-in\-interface " "[!] \fIname\fP"
 The interface via which a frame is received (for the
 .B INPUT
 chain). The flag
-.B --in-if
+.B \-\-in\-if
 is an alias for this option.
 .TP
-.BR "-o, --out-interface " "[!] \fIname\fP"
+.BR "\-o, \-\-out-interface " "[!] \fIname\fP"
 The interface via which a frame is going to be sent (for the
 .B OUTPUT
 chain). The flag
-.B --out-if
+.B \-\-out\-if
 is an alias for this option.
 .TP
-.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
+.BR "\-l, \-\-h\-length " "\fIlength\fP[/\fImask\fP]"
 The hardware length (nr of bytes)
 .TP
-.BR "--opcode " "\fIcode\fP[/\fImask\fP]
+.BR "\-\-opcode " "\fIcode\fP[/\fImask\fP]
 The operation code (2 bytes). Available values are:
 .BR 1 = Request
 .BR 2 = Reply
@@ -284,63 +284,63 @@ The operation code (2 bytes). Available values are:
 .BR 8 = InARP_Request
 .BR 9 = ARP_NAK .
 .TP
-.BR "--h-type " "\fItype\fP[/\fImask\fP]"
+.BR "\-\-h\-type " "\fItype\fP[/\fImask\fP]"
 The hardware type (2 bytes, hexadecimal). Available values are:
 .BR 1 = Ethernet .
 .TP
-.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
+.BR "\-\-proto\-type " "\fItype\fP[/\fImask\fP]"
 The protocol type (2 bytes). Available values are:
 .BR 0x800 = IPv4 .
 
 .SS TARGET-EXTENSIONS
 .B arptables
 extensions are precompiled into the userspace tool. So there is no need
-to explicitly load them with a -m option like in
+to explicitly load them with a \-m option like in
 .BR iptables .
 However, these
 extensions deal with functionality supported by supplemental kernel modules.
 .SS mangle
 .TP
-.BR "--mangle-ip-s IP address"
+.BR "\-\-mangle\-ip\-s IP address"
 Mangles Source IP Address to given value.
 .TP
-.BR "--mangle-ip-d IP address"
+.BR "\-\-mangle\-ip\-d IP address"
 Mangles Destination IP Address to given value.
 .TP
-.BR "--mangle-mac-s MAC address"
+.BR "\-\-mangle\-mac\-s MAC address"
 Mangles Source MAC Address to given value.
 .TP
-.BR "--mangle-mac-d MAC address"
+.BR "\-\-mangle\-mac\-d MAC address"
 Mangles Destination MAC Address to given value.
 .TP
-.BR "--mangle-target target "
+.BR "\-\-mangle\-target target "
 Target of ARP mangle operation
-.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " \(em default is " ACCEPT ).
 .SS CLASSIFY
-This module allows you to set the skb->priority value (and thus
+This module allows you to set the skb\->priority value (and thus
 classify the packet into a specific CBQ class).
 
 .TP
-.BR "--set-class major:minor"
+.BR "\-\-set\-class major:minor"
 
 Set the major and minor  class  value.  The  values  are  always
 interpreted as hexadecimal even if no 0x prefix is given.
 
 .SS MARK
-This  module  allows you to set the skb->mark value (and thus classify
+This  module  allows you to set the skb\->mark value (and thus classify
 the packet by the mark in u32)
 
 .TP
-.BR "--set-mark mark"
+.BR "\-\-set\-mark mark"
 Set the mark value. The  values  are  always
 interpreted as hexadecimal even if no 0x prefix is given
 
 .TP
-.BR "--and-mark mark"
+.BR "\-\-and\-mark mark"
 Binary AND the mark with bits.
 
 .TP
-.BR "--or-mark mark"
+.BR "\-\-or\-mark mark"
 Binary OR the mark with bits.
 
 .SH NOTES
@@ -357,6 +357,6 @@ chain in
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
 .SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables\-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
 .PP
 .BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 9fc845a1..641008cf 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -858,7 +858,7 @@ Log with the default logging options
 .TP
 .B --nflog-group "\fInlgroup\fP"
 .br
-The netlink group (1\(en2^32\-1) to which packets are (only applicable for
+The netlink group (1\(en2\^32\-1) to which packets are (only applicable for
 nfnetlink_log). The default value is 1.
 .TP
 .B --nflog-prefix "\fIprefix\fP"
diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8
index 702bf954..3ced29ca 100644
--- a/iptables/xtables-nft.8
+++ b/iptables/xtables-nft.8
@@ -105,15 +105,15 @@ One basic example is creating the skeleton ruleset in nf_tables from the
 xtables-nft tools, in a fresh machine:
 
 .nf
-	root@machine:~# iptables\-nft \-L
+	root@machine:\~# iptables\-nft \-L
 	[...]
-	root@machine:~# ip6tables\-nft \-L
+	root@machine:\~# ip6tables\-nft \-L
 	[...]
-	root@machine:~# arptables\-nft \-L
+	root@machine:\~# arptables\-nft \-L
 	[...]
-	root@machine:~# ebtables\-nft \-L
+	root@machine:\~# ebtables\-nft \-L
 	[...]
-	root@machine:~# nft list ruleset
+	root@machine:\~# nft list ruleset
 	table ip filter {
 		chain INPUT {
 			type filter hook input priority 0; policy accept;
@@ -175,12 +175,12 @@ To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
 you would use:
 
 .nf
-	root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables
-	root@machine:~# iptables\-nft\-restore myruleset   # writes to nf_tables
+	root@machine:\~# iptables\-legacy\-save > myruleset # reads from x_tables
+	root@machine:\~# iptables\-nft\-restore myruleset   # writes to nf_tables
 .fi
 or
 .nf
-	root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less
+	root@machine:\~# iptables\-legacy\-save | iptables\-translate\-restore | less
 .fi
 
 to see how rules would look like in the nft
diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8
index a048e8c9..ba16c525 100644
--- a/iptables/xtables-translate.8
+++ b/iptables/xtables-translate.8
@@ -38,15 +38,15 @@ ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP and \fBebtables(8)\fP to
 The available commands are:
 
 .IP \[bu] 2
-iptables-translate
+iptables\-translate
 .IP \[bu]
-iptables-restore-translate
+iptables\-restore\-translate
 .IP \[bu] 2
-ip6tables-translate
+ip6tables\-translate
 .IP \[bu]
-ip6tables-restore-translate
+ip6tables\-restore\-translate
 .IP \[bu] 2
-ebtables-translate
+ebtables\-translate
 
 .SH USAGE
 They take as input the original
@@ -69,38 +69,38 @@ Basic operation examples.
 Single command translation:
 
 .nf
-root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+root@machine:\~# iptables\-translate \-A INPUT \-p tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT
 nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
 
-root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
+root@machine:\~# ip6tables\-translate \-A FORWARD \-i eth0 \-o eth3 \-p udp \-m multiport \-\-dports 111,222 \-j ACCEPT
 nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
 .fi
 
 Whole ruleset translation:
 
 .nf
-root@machine:~# iptables-save > save.txt
-root@machine:~# cat save.txt
-# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
+root@machine:\~# iptables\-save > save.txt
+root@machine:\~# cat save.txt
+# Generated by iptables\-save v1.6.0 on Sat Dec 24 14:26:40 2016
 *filter
 :INPUT ACCEPT [5166:1752111]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [5058:628693]
--A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+\-A FORWARD \-p tcp \-m tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT
 COMMIT
 # Completed on Sat Dec 24 14:26:40 2016
 
-root@machine:~# iptables-restore-translate -f save.txt
-# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
+root@machine:\~# iptables\-restore\-translate \-f save.txt
+# Translated by iptables\-restore\-translate v1.6.0 on Sat Dec 24 14:26:59 2016
 add table ip filter
 add chain ip filter INPUT { type filter hook input priority 0; }
 add chain ip filter FORWARD { type filter hook forward priority 0; }
 add chain ip filter OUTPUT { type filter hook output priority 0; }
 add rule ip filter FORWARD tcp dport 22 ct state new counter accept
 
-root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
-root@machine:~# nft -f ruleset.nft
-root@machine:~# nft list ruleset
+root@machine:\~# iptables\-restore\-translate \-f save.txt > ruleset.nft
+root@machine:\~# nft \-f ruleset.nft
+root@machine:\~# nft list ruleset
 table ip filter {
 	chain INPUT {
 		type filter hook input priority 0; policy accept;