Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

2014-01-16 08:54:53 -08:00 · 2014-01-16 08:54:53 -08:00 · 51d6aa9165
commit 51d6aa9165
parent a5906ece44 44e0d48fc5
84 changed files with 929 additions and 683 deletions
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -54,7 +56,7 @@
        /opt/var/lib/shorewall-lite/.</para>
      </blockquote>
-      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
+      <para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
      will save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-accounting</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-actions</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,8 +26,8 @@
    <title>Description</title>
    <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>). You define
+    <ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>).
-    the iptables rules to be performed in an ACTION in
+    You define the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
    <para>Columns are:</para>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-arprules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-blacklist</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -44,8 +46,8 @@
          (if your kernel and iptables contain iprange match support) or ipset
          name prefaced by "+" (if your kernel supports ipset match).
          Exclusion (<ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          supported.</para>
+          is supported.</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-blrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -33,8 +35,9 @@
    connections in the NEW and INVALID states.</para>
    <para>The format of rules in this file is the same as the format of rules
-    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>. The
+    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
-    difference in the two files lies in the ACTION (first) column.</para>
+    (5)</ulink>. The difference in the two files lies in the ACTION (first)
    column.</para>
    <variablelist>
      <varlistentry>
@ -69,8 +72,8 @@
                <itemizedlist>
                  <listitem>
                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
-                    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
+                    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
-                    the macro expands to <emphasis
+                    then the macro expands to <emphasis
                    role="bold">blacklog</emphasis>.</para>
                  </listitem>
@ -88,10 +91,11 @@
              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
-                <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5).
+                <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-                Logs, audits (if specified) and applies the
+                </ulink>(5). Logs, audits (if specified) and applies the
                BLACKLIST_DISPOSITION specified in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
                (5).</para>
              </listitem>
            </varlistentry>
@ -205,8 +209,8 @@
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-                in /usr/share/shorewall/actions.std.</para>
+                or in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
@ -237,8 +241,8 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
+          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-          /usr/share/shorewall/actions.std then:</para>
+          or in /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-conntrack</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -365,7 +367,8 @@
          <para>Where <replaceable>interface</replaceable> is an interface to
          that zone, and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+          <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>
          <para>COMMENT is only allowed in format 1; the remainder of the line
@ -381,7 +384,8 @@
        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+          <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-ecn</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -64,12 +66,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-exclusion</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -88,8 +90,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    <para>In most contexts, ipset names can be used as an
    <replaceable>address-or-range</replaceable>. Beginning with Shorewall
    4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
-    url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
+    url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The
-    of these lists when used in an exclusion are as follows:</para>
+    semantics of these lists when used in an exclusion are as follows:</para>
    <itemizedlist>
      <listitem>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-hosts</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -29,8 +31,8 @@
    <para>The order of entries in this file is not significant in determining
    zone composition. Rather, the order that the zones are declared in <ulink
-    url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
+    url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines
-    in which the records in this file are interpreted.</para>
+    the order in which the records in this file are interpreted.</para>
    <warning>
      <para>The only time that you need this file is when you have more than
@ -39,9 +41,9 @@
    <warning>
      <para>If you have an entry for a zone and interface in <ulink
-      url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
+      url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-      not include any entries in this file for that same (zone, interface)
+      then do not include any entries in this file for that same (zone,
-      pair.</para>
+      interface) pair.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
@ -53,8 +55,8 @@
        <listitem>
          <para>The name of a zone declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You may not
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You
-          list the firewall zone in this column.</para>
+          may not list the firewall zone in this column.</para>
        </listitem>
      </varlistentry>
@ -67,9 +69,9 @@
        <listitem>
          <para>The name of an interface defined in the <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          followed by a colon (":") and a comma-separated list whose elements
+          file followed by a colon (":") and a comma-separated list whose
-          are either:</para>
+          elements are either:</para>
          <orderedlist numeration="loweralpha">
            <listitem>
@ -169,8 +171,8 @@
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
-                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) file
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
-                then you do NOT need to specify the 'ipsec' option
+                file then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
@ -181,8 +183,8 @@
              <listitem>
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
-                url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
-                this option is specified, the interface must be an Ethernet
+                If this option is specified, the interface must be an Ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
@ -212,8 +214,8 @@
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
-                logging, the packets are dropped.</para>
+                After logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-init</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -145,10 +147,11 @@
    <para>On a laptop with both Ethernet and wireless interfaces, you will
    want to make both interfaces optional and set the REQUIRE_INTERFACE option
-    to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5) or
+    to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+    </ulink>(5) or <ulink
-    (5). This causes the firewall to remain stopped until at least one of the
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
-    interfaces comes up.</para>
+    causes the firewall to remain stopped until at least one of the interfaces
    comes up.</para>
  </refsect1>
  <refsect1>
@ -163,12 +166,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-interfaces</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -71,7 +73,8 @@
          in this column.</para>
          <para>If the interface serves multiple zones that will be defined in
-          the <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
+          the <ulink
          url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
          file, you should place "-" in this column.</para>
          <para>If there are multiple interfaces to the same zone, you must
@ -111,8 +114,8 @@ loc     eth2            -</programlisting>
          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
          a matching specific interface. See <ulink
-          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
+          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
-          discussion of this problem.</para>
+          for a discussion of this problem.</para>
          <para>Shorewall allows '+' as an interface name.</para>
@ -433,8 +436,8 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Connection requests from this interface are compared
                against the contents of <ulink
-                url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
-                this option is specified, the interface must be an Ethernet
+                If this option is specified, the interface must be an Ethernet
                NIC and must be up before Shorewall is started.</para>
              </listitem>
            </varlistentry>
@ -486,8 +489,8 @@ loc     eth2            -</programlisting>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
-                logging, the packets are dropped.</para>
+                After logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
@ -631,9 +634,9 @@ loc     eth2            -</programlisting>
                <important>
                  <para>If ROUTE_FILTER=Yes in <ulink
-                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), or if
+                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
-                  your distribution sets net.ipv4.conf.all.rp_filter=1 in
+                  or if your distribution sets net.ipv4.conf.all.rp_filter=1
-                  <filename>/etc/sysctl.conf</filename>, then setting
+                  in <filename>/etc/sysctl.conf</filename>, then setting
                  <emphasis role="bold">routefilter</emphasis>=0 in an
                  <replaceable>interface</replaceable> entry will not disable
                  route filtering on that
@ -653,8 +656,8 @@ loc     eth2            -</programlisting>
                  <itemizedlist>
                    <listitem>
                      <para>If USE_DEFAULT_RT=Yes in <ulink
-                      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
+                      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                      the interface is listed in <ulink
+                      and the interface is listed in <ulink
                      url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
                    </listitem>
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-ipsets</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -79,7 +81,8 @@
    specified, matching packets must match all of the listed sets.</para>
    <para>For information about set lists and exclusion, see <ulink
-    url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
+    url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
    (5).</para>
    <para>Beginning with Shorewall 4.5.16, you can increment one or more
    nfacct objects each time a packet matches an ipset. You do that by listing
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-maclist</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -27,9 +29,9 @@
    associated IP addresses to be allowed to use the specified interface. The
    feature is enabled by using the <emphasis role="bold">maclist</emphasis>
    option in the <ulink
-    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
+    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-    url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
+    or <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
-    file.</para>
+    configuration file.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
@ -45,8 +47,8 @@
        <listitem>
          <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
          role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
-          also allowed). If specified, the
+          REJECT is also allowed). If specified, the
          <replaceable>log-level</replaceable> causes packets matching the
          rule to be logged at that level.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,13 +26,15 @@
    <title>Description</title>
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
-    replace <ulink url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>.
+    replace <ulink
-    This file is only processed by the compiler if:</para>
+    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
      <listitem>
        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
-        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
+        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
        or</para>
      </listitem>
      <listitem>
@ -44,10 +48,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@ -104,8 +108,8 @@
          <para>Unless otherwise specified for the particular
          <replaceable>command</replaceable>, the default chain is PREROUTING
          when MARK_IN_FORWARD_CHAIN=No in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
+          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
-          when MARK_IN_FORWARD_CHAIN=Yes.</para>
+          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
          <para>A chain-designator may not be specified if the SOURCE or DEST
          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
@ -310,8 +314,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
                <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then the
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
-                third rule above can be specified as follows:</para>
+                then the third rule above can be specified as follows:</para>
                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
              </listitem>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-masq</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -35,8 +37,8 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      entries in <ulink
+      PREROUTING entries in <ulink
      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
      that.</para>
    </warning>
@ -55,27 +57,26 @@
          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
          comma-separated list of interface names. This is usually your
          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          and a <emphasis>digit</emphasis> to indicate that you want the alias
+          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          added with that name (e.g., eth0:0). This will allow the alias to be
+          want the alias added with that name (e.g., eth0:0). This will allow
-          displayed with ifconfig. <emphasis role="bold">That is the only use
+          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          for the alias name; it may not appear in any other place in your
+          is the only use for the alias name; it may not appear in any other
-          Shorewall configuration.</emphasis></para>
+          place in your Shorewall configuration.</emphasis></para>
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          example, <filename class="devicefile">ppp0</filename> in this file
+          For example, <filename class="devicefile">ppp0</filename> in this
-          will match a <ulink
+          file will match a <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
-          <para>Where <ulink
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          url="/4.4/MultiISP.html#Shared">more that
+          internet provider share a single interface</ulink>, the provider is
-          one internet provider share a single interface</ulink>, the provider
+          specified by including the provider name or number in
          is specified by including the provider name or number in
          parentheses:</para>
          <programlisting>        eth0(Avvanta)</programlisting>
@ -88,8 +89,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          are ipset names preceded by a plus sign '+';</para>
+          as are ipset names preceded by a plus sign '+';</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@ -99,9 +100,9 @@
          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          rule to be applied before one-to-one NAT rules, prefix the interface
+          want the rule to be applied before one-to-one NAT rules, prefix the
-          name with "+":</para>
+          interface name with "+":</para>
          <programlisting>        +eth0
        +eth0:192.0.2.32/27
@ -174,7 +175,8 @@
        <listitem>
          <para>If you specify an address here, SNAT will be used and this
          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
-          in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
+          in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
          Shorewall will automatically add this address to the INTERFACE named
          in the first column.</para>
@ -689,8 +691,8 @@
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then these
+          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          rules may be specified as follows:</para>
+          these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-modules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -86,13 +88,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-zones(5)</para>
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-nat</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -29,10 +31,10 @@
    <warning>
      <para>If all you want to do is simple port forwarding, do NOT use this
      file. See <ulink
-      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
+      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
-      Also, in many cases, Proxy ARP (<ulink
+      in many cases, Proxy ARP (<ulink
-      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
+      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
-      solution that one-to-one NAT.</para>
+      is a better solution that one-to-one NAT.</para>
    </warning>
    <para>The columns in the file are as follows (where the column name is
@ -72,7 +74,8 @@
        <listitem>
          <para>Interfaces that have the <emphasis
          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
          Shorewall will automatically add the EXTERNAL address to this
          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
          name with ":" and a <emphasis>digit</emphasis> to indicate that you
@ -85,9 +88,9 @@
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          example, <filename class="devicefile">ppp0</filename> in this file
+          For example, <filename class="devicefile">ppp0</filename> in this
-          will match a <ulink
+          file will match a <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-nesting</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,17 +26,18 @@
  <refsect1>
    <title>Description</title>
-    <para>In <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a
+    <para>In <ulink
-    zone may be declared to be a sub-zone of one or more other zones using the
+    url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a zone
    may be declared to be a sub-zone of one or more other zones using the
    above syntax. The <replaceable>child-zone</replaceable> may be neither the
    firewall zone nor a vserver zone. The firewall zone may not appear as a
    parent zone, although all vserver zones are handled as sub-zones of the
    firewall zone.</para>
    <para>Where zones are nested, the CONTINUE policy in <ulink
-    url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
+    url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows
-    are within multiple zones to be managed under the rules of all of these
+    hosts that are within multiple zones to be managed under the rules of all
-    zones.</para>
+    of these zones.</para>
  </refsect1>
  <refsect1>
@ -74,7 +77,8 @@
    under rules where the source zone is net. It is important that this policy
    be listed BEFORE the next policy (net to all). You can have this policy
    generated for you automatically by using the IMPLICIT_CONTINUE option in
-    <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <para>Partial <filename>/etc/shorewall/rules</filename>:</para>
@ -204,12 +208,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-netmap</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -95,9 +97,9 @@
          in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          example, <filename class="devicefile">ppp0</filename> in this file
+          For example, <filename class="devicefile">ppp0</filename> in this
-          will match a <ulink
+          file will match a <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
@ -145,8 +147,8 @@
          range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
          url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-params</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -26,8 +28,8 @@
    <para>Assign any shell variables that you need in this file. The file is
    always processed by <filename>/bin/sh</filename> or by the shell specified
    through SHOREWALL_SHELL in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
-    shell capabilities may be used.</para>
+    range of shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@ -40,7 +42,8 @@
    <simplelist>
      <member><emphasis role="bold">Any option from <ulink
-      url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
+      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
      (5)</emphasis></member>
      <member><emphasis role="bold">COMMAND</emphasis></member>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-policy</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -66,8 +68,8 @@
        <listitem>
          <para>Source zone. Must be the name of a zone defined in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
-          "all+".</para>
+          $FW, "all" or "all+".</para>
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
@ -84,11 +86,11 @@
        <listitem>
          <para>Destination zone. Must be the name of a zone defined in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
-          "all+". If the DEST is a bport zone, then the SOURCE must be "all",
+          $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
-          "all+", another bport zone associated with the same bridge, or it
+          must be "all", "all+", another bport zone associated with the same
-          must be an ipv4 zone that is associated with only the same
+          bridge, or it must be an ipv4 zone that is associated with only the
-          bridge.</para>
+          same bridge.</para>
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
@ -118,8 +120,8 @@
            <listitem>
              <para>The word "None" or "none". This causes any default action
              defined in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to be
+              url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to
-              omitted for this policy.</para>
+              be omitted for this policy.</para>
            </listitem>
            <listitem>
@ -191,8 +193,8 @@
                might also match (where the source or destination zone in
                those rules is a superset of the SOURCE or DEST in this
                policy). See <ulink
-                url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
+                url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
-                additional information.</para>
+                for additional information.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-providers</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -77,17 +79,17 @@
        <listitem>
          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
+          url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
-          direct packets to this provider.</para>
+          file to direct packets to this provider.</para>
          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
+          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          must be a multiple of 256 between 256 and 65280 or their hexadecimal
+          the value must be a multiple of 256 between 256 and 65280 or their
-          equivalents (0x0100 and 0xff00 with the low-order byte of the value
+          hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
-          being zero). Otherwise, the value must be between 1 and 255. Each
+          of the value being zero). Otherwise, the value must be between 1 and
-          provider must be assigned a unique mark value. This column may be
+          255. Each provider must be assigned a unique mark value. This column
-          omitted if you don't use packet marking to direct connections to a
+          may be omitted if you don't use packet marking to direct connections
-          particular provider.</para>
+          to a particular provider.</para>
        </listitem>
      </varlistentry>
@ -112,8 +114,8 @@
        <listitem>
          <para>The name of the network interface to the provider. Must be
          listed in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-          general, that interface should not have the
+          In general, that interface should not have the
          <option>proxyarp</option> option specified unless
          <option>loose</option> is given in the OPTIONS column of this
          entry.</para>
@ -177,8 +179,9 @@
                <para>Beginning with Shorewall 4.4.3, <option>track</option>
                defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
+                <ulink
-                If you set TRACK_PROVIDERS=Yes and want to override that
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
                (5). If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                <option>notrack</option> (see below).</para>
              </listitem>
--- a/Shorewall/manpages/shorewall-proxyarp.xml
+++ b/Shorewall/manpages/shorewall-proxyarp.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-proxyarp</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-routes.xml
+++ b/Shorewall/manpages/shorewall-routes.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-routes</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -34,8 +36,8 @@
        <listitem>
          <para>The name or number of a provider defined in <ulink
-          url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5).
+          url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
-          Beginning with Shorewall 4.5.14, you may also enter
+          (5). Beginning with Shorewall 4.5.14, you may also enter
          <option>main</option> in this column to add routes to the main
          routing table.</para>
        </listitem>
@ -73,8 +75,8 @@
        <listitem>
          <para>Specifies the device route. If neither DEVICE nor GATEWAY is
          given, then the INTERFACE specified for the PROVIDER in <ulink
-          url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5). This
+          url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
-          column must be omitted if <option>blackhole</option>,
+          (5). This column must be omitted if <option>blackhole</option>,
          <option>prohibit</option> or <option>unreachable</option> is
          specified in the GATEWAY column.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-routestopped</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-rtrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-rules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,8 +27,8 @@
    <para>Entries in this file govern connection establishment by defining
    exceptions to the policies laid out in <ulink
-    url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By default,
+    url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By
-    subsequent requests and responses are automatically allowed using
+    default, subsequent requests and responses are automatically allowed using
    connection tracking. For any particular (source,dest) pair of zones, the
    rules are evaluated in the order in which they appear in this file and the
    first terminating match is the one that determines the disposition of the
@ -145,8 +147,8 @@
    <warning>
      <para>If you specify FASTACCEPT=Yes in <ulink
-      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
+      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the
-      role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
+      <emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
      role="bold">RELATED</emphasis> sections must be empty.</para>
      <para>An except is made if you are running Shorewall 4.4.27 or later and
@ -234,8 +236,8 @@
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-                in /usr/share/shorewall/actions.std.</para>
+                or in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
@ -329,12 +331,13 @@
                <para>Do not process any of the following rules for this
                (source zone,destination zone). If the source and/or
                destination IP address falls into a zone defined later in
-                <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
+                <ulink
                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
                or in a parent zone of the source or destination zones, then
                this connection request will be passed to the rules defined
                for that (those) zone(s). See <ulink
-                url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
+                url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
-                additional information.</para>
+                for additional information.</para>
              </listitem>
            </varlistentry>
@ -671,8 +674,8 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
+          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-          /usr/share/shorewall/actions.std then:</para>
+          or in /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
@ -732,10 +735,10 @@
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
-          <replaceable>zone-list</replaceable> may be optionally followed by
+          This <replaceable>zone-list</replaceable> may be optionally followed
-          "+" to indicate that the rule is to apply to intra-zone traffic as
+          by "+" to indicate that the rule is to apply to intra-zone traffic
-          well as inter-zone traffic.</para>
+          as well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -906,18 +909,19 @@
        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
-          role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
-          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
-          <emphasis role="bold">none</emphasis>.</para>
+          role="bold">all+</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
-          <replaceable>zone-list</replaceable> may be optionally followed by
+          This <replaceable>zone-list</replaceable> may be optionally followed
-          "+" to indicate that the rule is to apply to intra-zone traffic as
+          by "+" to indicate that the rule is to apply to intra-zone traffic
-          well as inter-zone traffic.</para>
+          as well as inter-zone traffic.</para>
          <para>Beginning with Shorewall 4.5.4, A
          <replaceable>countrycode-list</replaceable> may be specified. A
@ -1577,8 +1581,8 @@
          </simplelist>
          <para>If the HELPERS option is specified in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then any module
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
-          specified in this column must be listed in the HELPERS
+          any module specified in this column must be listed in the HELPERS
          setting.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-secmarks</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,10 +27,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final secmark
+      evaluation of rules in this file will continue after a match. So the
-      for each packet will be the one assigned by the LAST rule that
+      final secmark for each packet will be the one assigned by the LAST rule
-      matches.</para>
+      that matches.</para>
    </important>
    <para>The secmarks file is used to associate an SELinux context with
@ -249,8 +251,8 @@
          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
          url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-stoppedrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tcclasses</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -125,9 +127,9 @@
          <para>You may specify the interface number rather than the interface
          name. If the <emphasis role="bold">classify</emphasis> option is
          given for the interface in <ulink
-          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
+          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5),
-          you must also specify an interface class (an integer that must be
+          then you must also specify an interface class (an integer that must
-          unique within classes associated with this interface). If the
+          be unique within classes associated with this interface). If the
          classify option is not given, you may still specify a
          <emphasis>class</emphasis> or you may have Shorewall generate a
          class number from the MARK value. Interface numbers and class
@ -144,8 +146,8 @@
          <para>Normally, all classes defined here are sub-classes of a root
          class that is implicitly defined from the entry in <ulink
-          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
+          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5).
-          can establish a class hierarchy by specifying a
+          You can establish a class hierarchy by specifying a
          <emphasis>parent</emphasis> class -- the number of a class that you
          have previously defined. The sub-class may borrow unused bandwidth
          from its parent.</para>
@ -159,11 +161,12 @@
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
+          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
-          marking the traffic you want to fit in the classes defined in here.
+          file, marking the traffic you want to fit in the classes defined in
-          Must be specified as '-' if the <emphasis
+          here. Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+          <ulink
          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
          and you are running Shorewall 4.5.5 or earlier.</para>
          <para>You can use the same marks for different interfaces.</para>
@ -290,7 +293,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>You must define <emphasis
@ -417,7 +420,8 @@
                of the class. So the total RATE represented by an entry with
                'occurs' will be the listed RATE multiplied by
                <emphasis>number</emphasis>. For additional information, see
-                <ulink url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
+                <ulink
                url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
                (5).</para>
              </listitem>
            </varlistentry>
@ -720,10 +724,10 @@
          priority number, giving less delay) and will be granted excess
          bandwidth (up to 180kbps, the class ceiling) first, before any other
          traffic. A single VoIP stream, depending upon codecs, after
-          encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
+          encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
-          little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
+          a little bit just in case. (TOS byte values 0xb8 and 0x68 are
-          classes EF and AFF3-1 respectively and are often used by VOIP
+          DiffServ classes EF and AFF3-1 respectively and are often used by
-          devices).</para>
+          VOIP devices).</para>
          <para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
          echo traffic if you use the example in tcrules) and any packet with
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tcdevices</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -150,8 +152,7 @@
          Beginning with Shorewall 4.4.25, a rate-estimated policing filter
          may be configured instead. Rate-estimated filters should be used
          with Ethernet adapters that have Generic Receive Offload enabled by
-          default. See <ulink
+          default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
          url="/FAQ.htm#faq97a">Shorewall FAQ
          97a</ulink>.</para>
          <para>To create a rate-estimated filter, precede the bandwidth with
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tcfilters</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall/manpages/shorewall-tcinterfaces.xml
+++ b/Shorewall/manpages/shorewall-tcinterfaces.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tcinterfaces</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,7 +27,8 @@
    <para>This file lists the interfaces that are subject to simple traffic
    shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
-    <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <para>A note on the <emphasis>bandwidth</emphasis> definition used in this
    file:</para>
@ -161,8 +164,7 @@
          Beginning with Shorewall 4.4.25, a rate-estimated policing filter
          may be configured instead. Rate-estimated filters should be used
          with Ethernet adapters that have Generic Receive Offload enabled by
-          default. See <ulink
+          default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
          url="/FAQ.htm#faq97a">Shorewall FAQ
          97a</ulink>.</para>
          <para>To create a rate-estimated filter, precede the bandwidth with
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tcpri</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,12 +27,13 @@
    <para>This file is used to specify the priority of traffic for simple
    traffic shaping (TC_ENABLED=Simple in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The
-    each packet is determined by the <emphasis role="bold">last</emphasis>
+    priority band of each packet is determined by the <emphasis
-    entry that the packet matches. If a packet doesn't match any entry in this
+    role="bold">last</emphasis> entry that the packet matches. If a packet
-    file, then its priority will be determined by its TOS field. The default
+    doesn't match any entry in this file, then its priority will be determined
-    mapping is as follows but can be changed by setting the TC_PRIOMAP option
+    by its TOS field. The default mapping is as follows but can be changed by
-    in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    setting the TC_PRIOMAP option in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
 ------------------------------------------------------------
@ -131,8 +134,8 @@
        [<replaceable>helper</replaceable>]</term>
        <listitem>
-          <para>Optional. Names a Netfilter protocol helper module such as ftp,
+          <para>Optional. Names a Netfilter protocol helper module such as
-          sip, amanda, etc. A packet will match if it was accepted by the
+          ftp, sip, amanda, etc. A packet will match if it was accepted by the
          named helper module. You can also append "-" and a port number to
          the helper module name (e.g., ftp-21) to specify the port number
          that the original connection was made on.</para>
--- a/Shorewall/manpages/shorewall-template.xml
+++ b/Shorewall/manpages/shorewall-template.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -52,12 +54,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tos.xml
+++ b/Shorewall/manpages/shorewall-tos.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tos</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,7 +27,8 @@
    <para>This file defines rules for setting Type Of Service (TOS). Its use
    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
-    <ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
+    <ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>
    (5).</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-tunnels</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -27,8 +29,8 @@
    encrypted) traffic to pass between the Shorewall system and a remote
    gateway. Traffic flowing through the tunnel is handled using the normal
    zone/policy/rule mechanism. See <ulink
-    url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
+    url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
-    for details.</para>
+    details.</para>
    <para>The columns in the file are as follows.</para>
@ -143,8 +145,8 @@
          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
          may be given. Exclusion (<ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-          not supported.</para>
+          (5) ) is not supported.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-vardir.xml
+++ b/Shorewall/manpages/shorewall-vardir.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -54,12 +56,13 @@
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-zones</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -45,17 +47,17 @@
          "none", "any", "SOURCE" and "DEST" are reserved and may not be used
          as zone names. The maximum length of a zone name is determined by
          the setting of the LOGFORMAT option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With the
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With
-          default LOGFORMAT, zone names can be at most 5 characters
+          the default LOGFORMAT, zone names can be at most 5 characters
          long.</para>
          <blockquote>
            <para>The maximum length of an iptables log prefix is 29 bytes. As
            explained in <ulink
-            url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), the default
+            url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
-            LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
+            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
-            %s is replaced by the chain name and the second is replaced by the
+            where the first %s is replaced by the chain name and the second is
-            disposition.</para>
+            replaced by the disposition.</para>
            <itemizedlist>
              <listitem>
@ -97,8 +99,8 @@
          (sub)zone name by ":" and a comma-separated list of the parent
          zones. The parent zones must have been declared in earlier records
          in this file. See <ulink
-          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
+          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
-          additional information.</para>
+          for additional information.</para>
          <para>Example:</para>
@ -110,8 +112,8 @@ c:a,b     ipv4</programlisting>
          <para>Currently, Shorewall uses this information to reorder the zone
          list so that parent zones appear after their subzones in the list.
          The IMPLICIT_CONTINUE option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can also create
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can
-          implicit CONTINUE policies to/from the subzone.</para>
+          also create implicit CONTINUE policies to/from the subzone.</para>
          <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
          explicitly included as a child of an <emphasis
@ -180,7 +182,8 @@ c:a,b     ipv4</programlisting>
              <listitem>
                <para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
                Linux-vserver guests. The zone contents must be defined in
-                <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
+                <ulink
                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
                (5).</para>
                <para>Vserver zones are implicitly handled as subzones of the
@ -310,7 +313,8 @@ c:a,b     ipv4</programlisting>
                <para>Added in Shorewall 4.5.9. May only be specified in the
                OPTIONS column and indicates that only a single ipset should
                be created for this zone if it has multiple dynamic entries in
-                <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
+                <ulink
                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
                Without this option, a separate ipset is created for each
                interface.</para>
              </listitem>
@ -354,9 +358,9 @@ c:a,b     ipv4</programlisting>
              <listitem>
                <para>sets the MSS field in TCP packets. If you supply this
                option, you should also set FASTACCEPT=No in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to insure
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                that both the SYN and SYN,ACK packets have their MSS field
+                to insure that both the SYN and SYN,ACK packets have their MSS
-                adjusted.</para>
+                field adjusted.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -204,8 +206,8 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
          is enabled (see <ulink
-          url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)).
-          not specified or set to the empty value, ACCOUNTING=Yes is
+          If not specified or set to the empty value, ACCOUNTING=Yes is
          assumed.</para>
        </listitem>
      </varlistentry>
@ -230,8 +232,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
-          is set to <emphasis role="bold">Yes</emphasis> or <emphasis
+          variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
          <emphasis role="bold">no</emphasis>, you must add these aliases
@ -256,13 +258,13 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
+          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
-          is set to <emphasis role="bold">Yes</emphasis> or <emphasis
+          the variable is set to <emphasis role="bold">Yes</emphasis> or
-          role="bold">yes</emphasis> then Shorewall automatically adds these
+          <emphasis role="bold">yes</emphasis> then Shorewall automatically
-          addresses. If it is set to <emphasis role="bold">No</emphasis> or
+          adds these addresses. If it is set to <emphasis
-          <emphasis role="bold">no</emphasis>, you must add these addresses
+          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          yourself using your distribution's network configuration
+          you must add these addresses yourself using your distribution's
-          tools.</para>
+          network configuration tools.</para>
          <para>If this variable is not set or is given an empty value
          (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@ -356,7 +358,8 @@
                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
-                  <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
+                  <ulink
                  url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
                  (5).</para>
                  <note>
@ -430,7 +433,8 @@
          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
          determines the disposition of packets sent to the <emphasis
          role="bold">blacklog</emphasis> target of <ulink
-          url="/manpages/shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
+          url="/manpages/shorewall-blrules.html">shorewall-blrules
          </ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -463,9 +467,11 @@
          role="bold">yes</emphasis>, blacklists are only consulted for new
          connections and for packets in the INVALID connection state (such as
          TCP SYN,ACK when there has been no corresponding SYN). That includes
-          entries in the <ulink url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) file
+          entries in the <ulink
-          and in the BLACKLIST section of <ulink
+          url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).</para>
+          file and in the BLACKLIST section of <ulink
          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
          (5).</para>
          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
          role="bold">no</emphasis>, blacklists are consulted for every packet
@ -534,8 +540,8 @@
          /etc/shorewall/tcstart file. That way, your traffic shaping rules
          can still use the “fwmark” classifier based on packet marking
          defined in <ulink
-          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
-          specified, CLEAR_TC=Yes is assumed.</para>
+          If not specified, CLEAR_TC=Yes is assumed.</para>
        </listitem>
      </varlistentry>
@ -907,8 +913,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>Prior to version 3.2.0, it was not possible to use connection
          marking in <ulink
-          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
+          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5)
-          a multi-ISP configuration that uses the track option.</para>
+          if you had a multi-ISP configuration that uses the track
          option.</para>
          <para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
          packet mark and connection mark into two mark fields.</para>
@ -990,11 +997,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>Subzones are defined by following their name with ":" and a
          list of parent zones (in <ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
-          you want to have a set of special rules for the subzone and if a
+          Normally, you want to have a set of special rules for the subzone
-          connection doesn't match any of those subzone-specific rules then
+          and if a connection doesn't match any of those subzone-specific
-          you want the parent zone rules and policies to be applied; see
+          rules then you want the parent zone rules and policies to be
-          <ulink url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
+          applied; see <ulink
          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -1011,9 +1019,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a semicolon
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
-          separates column-oriented specifications on the left from <ulink
+          semicolon separates column-oriented specifications on the left from
-          url="/configuration_file_basics.htm#Pairs">alternative
+          <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. If not specified or
@ -1029,10 +1037,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
-          packet in INVALID state fails to match any rule in the INVALID
+          When a packet in INVALID state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          INVALID section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@ -1117,11 +1125,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>This option indicates that zone-related ipsec information is
          found in the zones file (<ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). The option
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
-          indicates to the compiler that this is not a legacy configuration
+          The option indicates to the compiler that this is not a legacy
-          where the ipsec information was contained in a separate file. The
+          configuration where the ipsec information was contained in a
-          value of this option must not be changed and the option must not be
+          separate file. The value of this option must not be changed and the
-          deleted.</para>
+          option must not be deleted.</para>
        </listitem>
      </varlistentry>
@ -1378,7 +1386,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <note>
            <para>The setting of LOGFORMAT has an effect of the permitted
            length of zone names. See <ulink
-            url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).</para>
+            url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
            (5).</para>
          </note>
        </listitem>
      </varlistentry>
@ -1546,8 +1555,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The performance of configurations with a large numbers of
          entries in <ulink
-          url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
-          improved by setting the MACLIST_TTL variable in <ulink
+          can be improved by setting the MACLIST_TTL variable in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>If your iptables and kernel support the "Recent Match" (see
@ -1557,14 +1566,15 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>When a new connection arrives from a 'maclist' interface, the
          packet passes through then list of entries for that interface in
-          <ulink url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+          <ulink
-          there is a match then the source IP address is added to the 'Recent'
+          url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
-          set for that interface. Subsequent connection attempts from that IP
+          If there is a match then the source IP address is added to the
-          address occurring within $MACLIST_TTL seconds will be accepted
+          'Recent' set for that interface. Subsequent connection attempts from
-          without having to scan all of the entries. After $MACLIST_TTL from
+          that IP address occurring within $MACLIST_TTL seconds will be
-          the first accepted connection request from an IP address, the next
+          accepted without having to scan all of the entries. After
-          connection request from that IP address will be checked against the
+          $MACLIST_TTL from the first accepted connection request from an IP
-          entire list.</para>
+          address, the next connection request from that IP address will be
          checked against the entire list.</para>
          <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
          MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -2104,12 +2114,13 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
+          section of <ulink
-          (5). Concern about the safety of this practice resulted in the
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
-          addition of this option. When a packet in RELATED state fails to
+          Concern about the safety of this practice resulted in the addition
-          match any rule in the RELATED section, the packet is disposed of
+          of this option. When a packet in RELATED state fails to match any
-          based on this setting. The default value is ACCEPT for compatibility
+          rule in the RELATED section, the packet is disposed of based on this
-          with earlier versions.</para>
+          setting. The default value is ACCEPT for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@ -2120,9 +2131,9 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
-          this level. The default value is empty which means no logging is
+          logged at this level. The default value is empty which means no
-          performed.</para>
+          logging is performed.</para>
        </listitem>
      </varlistentry>
@ -2203,7 +2214,8 @@ INLINE          -       -       -       ; -j REJECT
          <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
          at least one optional interface must be up in order for the firewall
          to be in the started state. Intended to be used with the <ulink
-          url="/manpages/shorewall-init.html">Shorewall Init Package</ulink>.</para>
+          url="/manpages/shorewall-init.html">Shorewall Init
          Package</ulink>.</para>
        </listitem>
      </varlistentry>
@ -2266,17 +2278,17 @@ INLINE          -       -       -       ; -j REJECT
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and
-          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) are processed
+          <ulink url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5)
-          then are re-added later. This is done to help ensure that the
+          are processed then are re-added later. This is done to help ensure
-          addresses can be added with the specified labels but can have the
+          that the addresses can be added with the specified labels but can
-          undesirable side effect of causing routes to be quietly deleted.
+          have the undesirable side effect of causing routes to be quietly
-          When RETAIN_ALIASES is set to Yes, existing addresses will not be
+          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
-          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+          not be deleted. Regardless of the setting of RETAIN_ALIASES,
-          added during <emphasis role="bold">shorewall start</emphasis> are
+          addresses added during <emphasis role="bold">shorewall
-          still deleted at a subsequent <emphasis role="bold">shorewall
+          start</emphasis> are still deleted at a subsequent <emphasis
-          stop</emphasis> or <emphasis role="bold">shorewall
+          role="bold">shorewall stop</emphasis> or <emphasis
-          restart</emphasis>.</para>
+          role="bold">shorewall restart</emphasis>.</para>
        </listitem>
      </varlistentry>
@ -2374,9 +2386,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
          packets matching the <option>sfilter</option> option (see <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          <option>routeback</option> option.<footnote>
+          the <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote> interfaces without the routeback option.</para>
@ -2390,9 +2402,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
          matching the <option>sfilter</option> option (see <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          <option>routeback</option> option.<footnote>
+          the <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote> interfaces without the routeback option. The default
@ -2421,9 +2433,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. The default setting is DROP which
          causes smurf packets (see the nosmurfs option in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          be dropped. A_DROP causes the packets to be audited prior to being
+          to be dropped. A_DROP causes the packets to be audited prior to
-          dropped and requires AUDIT_TARGET support in the kernel and
+          being dropped and requires AUDIT_TARGET support in the kernel and
          iptables.</para>
        </listitem>
      </varlistentry>
@ -2435,8 +2447,8 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Specifies the logging level for smurf packets (see the
          nosmurfs option in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
-          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
          logged.</para>
        </listitem>
      </varlistentry>
@ -2525,7 +2537,8 @@ INLINE          -       -       -       ; -j REJECT
          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
          simple traffic shaping using <ulink
          url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          and <ulink
          url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
          enabled.</para>
          <para>If you set TC_ENABLED=Internal or internal or leave the option
@ -2589,10 +2602,10 @@ INLINE          -       -       -       ; -j REJECT
          <para>Determines the disposition of TCP packets that fail the checks
          enabled by the <emphasis role="bold">tcpflags</emphasis> interface
          option (see <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          must have a value of ACCEPT (accept the packet), REJECT (send an RST
+          and must have a value of ACCEPT (accept the packet), REJECT (send an
-          response) or DROP (ignore the packet). If not set or if set to the
+          RST response) or DROP (ignore the packet). If not set or if set to
-          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
          TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@ -2621,8 +2634,8 @@ INLINE          -       -       -       ; -j REJECT
          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
          <option>track</option> option to be assumed on all providers defined
          in <ulink
-          url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5). May
+          url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).
-          be overridden on an individual provider through use of the
+          May be overridden on an individual provider through use of the
          <option>notrack</option> option. The default value is 'No'.</para>
          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@ -2669,10 +2682,10 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
-          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          When a packet in UNTRACKED state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          UNTRACKED section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@ -2684,9 +2697,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
-          this level. The default value is empty which means no logging is
+          logged at this level. The default value is empty which means no
-          performed.</para>
+          logging is performed.</para>
        </listitem>
      </varlistentry>
@ -2708,8 +2721,8 @@ INLINE          -       -       -       ; -j REJECT
          <orderedlist>
            <listitem>
              <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="/manpages/shorewall-providers.html">providers</ulink>(5) file must
+              url="/manpages/shorewall-providers.html">providers</ulink>(5)
-              remain empty (or contain "-").</para>
+              file must remain empty (or contain "-").</para>
            </listitem>
            <listitem>
@ -2725,9 +2738,9 @@ INLINE          -       -       -       ; -j REJECT
            <listitem>
              <para>Packets are sent through the main routing table by a rule
              with priority 999. In <ulink
-              url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5), the
+              url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5),
-              range 1-998 may be used for inserting rules that bypass the main
+              the range 1-998 may be used for inserting rules that bypass the
-              table.</para>
+              main table.</para>
            </listitem>
            <listitem>
--- a/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-lite-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6-lite/manpages/shorewall6-lite.conf.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.conf.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-lite.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-lite</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-accounting</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-actions</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,8 +26,9 @@
    <title>Description</title>
    <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You define
+    <ulink
-    the ip6tables rules to be performed in an ACTION in
+    url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
    define the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
    <para>Columns are:</para>
--- a/Shorewall6/manpages/shorewall6-blacklist.xml
+++ b/Shorewall6/manpages/shorewall6-blacklist.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-blacklist</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -26,10 +28,11 @@
    <para>The blacklist file is used to perform static blacklisting by source
    address (IP or MAC), or by application. The use of this file is deprecated
    in favor of <ulink
-    url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
+    url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
-    with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
+    and beginning with Shorewall 4.5.7, the blacklist file is no longer
-    blacklist files can be converted to a corresponding blrules file using the
+    installed. Existing blacklist files can be converted to a corresponding
-    <command>shorewall6 update -b</command> command.</para>
+    blrules file using the <command>shorewall6 update -b</command>
    command.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
@ -47,8 +50,8 @@
          (if your kernel and ip6tables contain iprange match support) or
          ipset name prefaced by "+" (if your kernel supports ipset match).
          Exclusion (<ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
-          supported.</para>
+          is supported.</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
@ -145,13 +148,13 @@
    <para>When a packet arrives on an interface that has the <emphasis
    role="bold">blacklist</emphasis> option specified in <ulink
-    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5), its
+    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
-    source IP address and MAC address is checked against this file and
+    its source IP address and MAC address is checked against this file and
    disposed of according to the <emphasis
    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If <emphasis
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
-    role="bold">PROTOCOL</emphasis> or <emphasis
+    <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
    are supplied, only packets matching the protocol (and one of the ports if
    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
--- a/Shorewall6/manpages/shorewall6-blrules.xml
+++ b/Shorewall6/manpages/shorewall6-blrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-blrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -34,7 +36,8 @@
    connections in the NEW and INVALID states.</para>
    <para>The format of rules in this file is the same as the format of rules
-    in <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
+    in <ulink
    url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
    difference in the two files lies in the ACTION (first) column.</para>
    <variablelist>
@ -89,10 +92,11 @@
              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
-                <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf </ulink>(5).
+                <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
-                Logs, audits (if specified) and applies the
+                </ulink>(5). Logs, audits (if specified) and applies the
                BLACKLIST_DISPOSITION specified in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
                (5).</para>
              </listitem>
            </varlistentry>
@ -206,8 +210,8 @@
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
+                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
-                in /usr/share/shorewall6/actions.std.</para>
+                or in /usr/share/shorewall6/actions.std.</para>
              </listitem>
            </varlistentry>
@ -238,8 +242,8 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
+          url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
-          /usr/share/shorewall6/actions.std then:</para>
+          or in /usr/share/shorewall6/actions.std then:</para>
          <itemizedlist>
            <listitem>
@ -274,7 +278,8 @@
    </variablelist>
    <para>For the remaining columns, see <ulink
-    url="/manpages6/shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
+    url="/manpages6/shorewall6-rules.html">shorewall6-rules
    (5)</ulink>.</para>
  </refsect1>
  <refsect1>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-conntrack</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -357,7 +359,8 @@
          <para>Where <replaceable>interface</replaceable> is an interface to
          that zone, and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
          (5)).</para>
          <para>COMMENT is only allowed in format 1; the remainder of the line
@ -373,7 +376,8 @@
        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
          (5)).</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-exclusion.xml
+++ b/Shorewall6/manpages/shorewall6-exclusion.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-exclusion</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -103,10 +105,11 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-hosts</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -29,8 +31,9 @@
    <para>The order of entries in this file is not significant in determining
    zone composition. Rather, the order that the zones are declared in <ulink
-    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) determines the
+    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
-    order in which the records in this file are interpreted.</para>
+    determines the order in which the records in this file are
    interpreted.</para>
    <warning>
      <para>The only time that you need this file is when you have more than
@ -39,9 +42,9 @@
    <warning>
      <para>If you have an entry for a zone and interface in <ulink
-      url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) then do
+      url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
-      not include any entries in this file for that same (zone, interface)
+      then do not include any entries in this file for that same (zone,
-      pair.</para>
+      interface) pair.</para>
    </warning>
    <para>The columns in the file are as follows (where the column name is
@ -55,8 +58,8 @@
        <listitem>
          <para>The name of a zone declared in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). You may not
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).
-          list the firewall zone in this column.</para>
+          You may not list the firewall zone in this column.</para>
        </listitem>
      </varlistentry>
@ -137,8 +140,8 @@
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
-                url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) file
+                url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
-                then you do NOT need to specify the 'ipsec' option
+                file then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-interfaces</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -71,7 +73,8 @@
          zone in this column.</para>
          <para>If the interface serves multiple zones that will be defined in
-          the <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
+          the <ulink
          url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
          file, you should place "-" in this column.</para>
          <para>If there are multiple interfaces to the same zone, you must
@ -115,8 +118,8 @@ loc     eth2            -</programlisting>
          <para>Care must be exercised when using wildcards where there is
          another zone that uses a matching specific interface. See <ulink
-          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
+          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
-          discussion of this problem.</para>
+          for a discussion of this problem.</para>
          <para>Shorewall6 allows '+' as an interface name.</para>
@ -270,8 +273,8 @@ loc     eth2            -</programlisting>
                  <listitem>
                    <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a
+                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    DHCP server on one port and DHCP clients on another
+                    server on one port and DHCP clients on another
                    port.</para>
                    <note>
@ -501,7 +504,7 @@ loc     eth2            -</programlisting>
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
                <para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
-                default. To disable this option, specify tcpflags=0. </para>
+                default. To disable this option, specify tcpflags=0.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-ipsets.xml
+++ b/Shorewall6/manpages/shorewall6-ipsets.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall-ipsets</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -78,7 +80,8 @@
    specified, matching packets must match all of the listed sets.</para>
    <para>For information about set lists and exclusion, see <ulink
-    url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5).</para>
+    url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
    (5).</para>
    <para>Beginning with Shorewall 4.5.16, you can increment one or more
    nfacct objects each time a packet matches an ipset. You do that by listing
--- a/Shorewall6/manpages/shorewall6-maclist.xml
+++ b/Shorewall6/manpages/shorewall6-maclist.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-maclist</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -27,8 +29,9 @@
    associated IPv6 addresses to be allowed to use the specified interface.
    The feature is enabled by using the <emphasis
    role="bold">maclist</emphasis> option in the <ulink
-    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
+    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
-    <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
+    or <ulink
    url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
    configuration file.</para>
    <para>The columns in the file are as follows.</para>
@ -43,8 +46,8 @@
        <listitem>
          <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
          role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          is also allowed). If specified, the
+          then REJECT is also allowed). If specified, the
          <replaceable>log-level</replaceable> causes packets matching the
          rule to be logged at that level.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,13 +27,14 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
+    url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>.
-    only processed by the compiler if:</para>
+    This file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
      <listitem>
        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
-        <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
+        <ulink
        url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
        or</para>
      </listitem>
@ -46,10 +49,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
+      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@ -106,8 +109,8 @@
          <para>Unless otherwise specified for the particular
          <replaceable>command</replaceable>, the default chain is PREROUTING
          when MARK_IN_FORWARD_CHAIN=No in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
-          when MARK_IN_FORWARD_CHAIN=Yes.</para>
+          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
          <para>A chain-designator may not be specified if the SOURCE or DEST
          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
@ -312,8 +315,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
                <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
-                third rule above can be specified as follows:</para>
+                then the third rule above can be specified as follows:</para>
                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
              </listitem>
@ -731,9 +734,9 @@ Normal-Service       =&gt; 0x00</programlisting>
              <para>An interface name. May not be used in the PREROUTING chain
              (:P in the mark column or no chain qualifier and
              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)). The
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
-              interface name may be optionally followed by a colon (":") and
+              (5)). The interface name may be optionally followed by a colon
-              an IP address list.</para>
+              (":") and an IP address list.</para>
            </listitem>
            <listitem>
--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-masq</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -35,10 +37,10 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
+      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-      PREROUTING entries in <ulink
+      or PREROUTING entries in <ulink
-      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to do
+      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
-      that.</para>
+      do that.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
@ -65,10 +67,9 @@
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
-          <para>Where <ulink
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          url="/4.4/MultiISP.html#Shared">more that
+          internet provider share a single interface</ulink>, the provider is
-          one internet provider share a single interface</ulink>, the provider
+          specified by including the provider name or number in
          is specified by including the provider name or number in
          parentheses:</para>
          <programlisting>        eth0(Avvanta)</programlisting>
@ -81,8 +82,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
-          are ipset names preceded by a plus sign '+'.</para>
+          as are ipset names preceded by a plus sign '+'.</para>
          <para>Comments may be attached to Netfilter rules generated from
          entries in this file through the use of COMMENT lines. These lines
@ -545,8 +546,8 @@
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then these
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          rules may be specified as follows:</para>
+          then these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
--- a/Shorewall6/manpages/shorewall6-modules.xml
+++ b/Shorewall6/manpages/shorewall6-modules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-modules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -30,8 +32,8 @@
    <para>These files specify which kernel modules shorewall6 will load before
    trying to determine your ip6tables/kernel's capabilities. The
    <filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
-    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5); the
+    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5);
-    <filename>helpers</filename> file is used when
+    the <filename>helpers</filename> file is used when
    LOAD_HELPERS_ONLY=Yes.</para>
    <para>Each record in the files has the following format:</para>
@ -86,8 +88,8 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
--- a/Shorewall6/manpages/shorewall6-nesting.xml
+++ b/Shorewall6/manpages/shorewall6-nesting.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-nesting</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,17 +26,18 @@
  <refsect1>
    <title>Description</title>
-    <para>In <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a
+    <para>In <ulink
-    zone may be declared to be a sub-zone of one or more other zones using the
+    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a zone
    may be declared to be a sub-zone of one or more other zones using the
    above syntax. The <replaceable>child-zone</replaceable> may be neither the
    firewall zone nor a vserver zone. The firewall zone may not appear as a
    parent zone, although all vserver zones are handled as sub-zones of the
    firewall zone.</para>
    <para>Where zones are nested, the CONTINUE policy in <ulink
-    url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
+    url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5)
-    that are within multiple zones to be managed under the rules of all of
+    allows hosts that are within multiple zones to be managed under the rules
-    these zones.</para>
+    of all of these zones.</para>
  </refsect1>
  <refsect1>
@ -74,7 +77,8 @@
    under rules where the source zone is net. It is important that this policy
    be listed BEFORE the next policy (net to all). You can have this policy
    generated for you automatically by using the IMPLICIT_CONTINUE option in
-    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+    <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
    <para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
@ -109,10 +113,11 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-netmap.xml
+++ b/Shorewall6/manpages/shorewall6-netmap.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-netmap</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -24,8 +26,7 @@
    <title>Description</title>
    <para>This file is used to map addresses in one network to corresponding
-    addresses in a second network. It was added in Shorewall6
+    addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
    4.4.23.3.</para>
    <warning>
      <para>To use this file, your kernel and ip6tables must have RAWPOST
@ -145,8 +146,8 @@
          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
          url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
--- a/Shorewall6/manpages/shorewall6-params.xml
+++ b/Shorewall6/manpages/shorewall6-params.xml
@ -3,9 +3,11 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall6-netmap(5),shorewall6-params</refentrytitle>
+    <refentrytitle>shorewall6-params</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -26,8 +28,8 @@
    <para>Assign any shell variables that you need in this file. The file is
    always processed by <filename>/bin/sh</filename> or by the shell specified
    through SHOREWALL_SHELL in <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the
-    of shell capabilities may be used.</para>
+    full range of shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-policy</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -66,8 +68,8 @@
        <listitem>
          <para>Source zone. Must be the name of a zone defined in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
-          "all+".</para>
+          $FW, "all" or "all+".</para>
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
@ -84,11 +86,11 @@
        <listitem>
          <para>Destination zone. Must be the name of a zone defined in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
-          "all+". If the DEST is a bport zone, then the SOURCE must be "all",
+          $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
-          "all+", another bport zone associated with the same bridge, or it
+          must be "all", "all+", another bport zone associated with the same
-          must be an ipv4 zone that is associated with only the same
+          bridge, or it must be an ipv4 zone that is associated with only the
-          bridge.</para>
+          same bridge.</para>
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
@ -118,8 +120,8 @@
            <listitem>
              <para>The word "None" or "none". This causes any default action
              defined in <ulink
-              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
-              omitted for this policy.</para>
+              to be omitted for this policy.</para>
            </listitem>
            <listitem>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-providers</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -77,17 +79,17 @@
        <listitem>
          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file to
+          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
-          direct packets to this provider.</para>
+          file to direct packets to this provider.</para>
          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then the
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          value must be a multiple of 256 between 256 and 65280 or their
+          then the value must be a multiple of 256 between 256 and 65280 or
-          hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
+          their hexadecimal equivalents (0x0100 and 0xff00 with the low-order
-          of the value being zero). Otherwise, the value must be between 1 and
+          byte of the value being zero). Otherwise, the value must be between
-          255. Each provider must be assigned a unique mark value. This column
+          1 and 255. Each provider must be assigned a unique mark value. This
-          may be omitted if you don't use packet marking to direct connections
+          column may be omitted if you don't use packet marking to direct
-          to a particular provider.</para>
+          connections to a particular provider.</para>
        </listitem>
      </varlistentry>
@ -190,7 +192,8 @@
                <para>Beginning with Shorewall 4.4.3, <option>track</option>
                defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
+                <ulink
                url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
                (5). If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                <option>notrack</option> (see below).</para>
--- a/Shorewall6/manpages/shorewall6-proxyndp.xml
+++ b/Shorewall6/manpages/shorewall6-proxyndp.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-proxyndp</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-routes.xml
+++ b/Shorewall6/manpages/shorewall6-routes.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-routes</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -34,8 +36,8 @@
        <listitem>
          <para>The name or number of a provider defined in <ulink
-          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink> (5).
+          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
-          Beginning with Shorewall 4.5.14, you may also enter
+          (5). Beginning with Shorewall 4.5.14, you may also enter
          <option>main</option> in this column to add routes to the main
          routing table.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6-routestopped.xml
+++ b/Shorewall6/manpages/shorewall6-routestopped.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-routestopped</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-rtrules.xml
+++ b/Shorewall6/manpages/shorewall6-rtrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-rtrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-rules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,8 +27,8 @@
    <para>Entries in this file govern connection establishment by defining
    exceptions to the policies laid out in <ulink
-    url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
+    url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By
-    subsequent requests and responses are automatically allowed using
+    default, subsequent requests and responses are automatically allowed using
    connection tracking. For any particular (source,dest) pair of zones, the
    rules are evaluated in the order in which they appear in this file and the
    first terminating match is the one that determines the disposition of the
@ -137,8 +139,8 @@
    <warning>
      <para>If you specify FASTACCEPT=Yes in <ulink
-      url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
+      url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then
-      role="bold">ESTABLISHED</emphasis> and <emphasis
+      the <emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
      role="bold">RELATED</emphasis> sections must be empty.</para>
      <para>An except is made if you are running Shorewall 4.4.27 or later and
@ -207,8 +209,8 @@
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
+                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
-                in /usr/share/shorewall/actions.std.</para>
+                or in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
@ -302,7 +304,8 @@
                <para>Do not process any of the following rules for this
                (source zone,destination zone). If the source and/or
                destination IP address falls into a zone defined later in
-                <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
+                <ulink
                url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
                or in a parent zone of the source or destination zones, then
                this connection request will be passed to the rules defined
                for that (those) zone(s). See <ulink
@ -629,8 +632,8 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
+          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-          /usr/share/shorewall/actions.std then:</para>
+          or in /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
@ -688,10 +691,10 @@
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). This
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
-          <replaceable>zone-list</replaceable> may be optionally followed by
+          This <replaceable>zone-list</replaceable> may be optionally followed
-          "+" to indicate that the rule is to apply to intra-zone traffic as
+          by "+" to indicate that the rule is to apply to intra-zone traffic
-          well as inter-zone traffic.</para>
+          as well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -856,18 +859,19 @@
        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
-          role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
-          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
-          <emphasis role="bold">none</emphasis>.</para>
+          role="bold">all+</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). Ths
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
-          <replaceable>zone-list</replaceable> may be optionally followed by
+          Ths <replaceable>zone-list</replaceable> may be optionally followed
-          "+" to indicate that the rule is to apply to intra-zone traffic as
+          by "+" to indicate that the rule is to apply to intra-zone traffic
-          well as inter-zone traffic. Beginning with Shorewall-4.4.13,
+          as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
          exclusion is supported -- see see <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
@ -1559,9 +1563,9 @@
          </simplelist>
          <para>If the HELPERS option is specified in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then any module
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          specified in this column must be listed in the HELPERS
+          then any module specified in this column must be listed in the
-          setting.</para>
+          HELPERS setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-secmarks</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,10 +27,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
+      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final secmark
+      evaluation of rules in this file will continue after a match. So the
-      for each packet will be the one assigned by the LAST rule that
+      final secmark for each packet will be the one assigned by the LAST rule
-      matches.</para>
+      that matches.</para>
    </important>
    <para>The secmarks file is used to associate an SELinux context with
@ -243,8 +245,8 @@
          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
          url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
--- a/Shorewall6/manpages/shorewall6-stoppedrules.xml
+++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-stoppedrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tcclasses</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -140,8 +142,8 @@
          <para>Normally, all classes defined here are sub-classes of a root
          class (class number 1) that is implicitly defined from the entry in
          <ulink
-          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
+          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5).
-          can establish a class hierarchy by specifying a
+          You can establish a class hierarchy by specifying a
          <emphasis>parent</emphasis> class -- the number of a class that you
          have previously defined. The sub-class may borrow unused bandwidth
          from its parent.</para>
@ -155,13 +157,13 @@
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
+          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
-          marking the traffic you want to fit in the classes defined in here.
+          file, marking the traffic you want to fit in the classes defined in
-          Must be specified as '-' if the <emphasis
+          here. Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
-          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
+          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
-          you are running Shorewall 4.5 5 or earlier.</para>
+          and you are running Shorewall 4.5 5 or earlier.</para>
          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@ -672,10 +674,10 @@
          priority number, giving less delay) and will be granted excess
          bandwidth (up to 180kbps, the class ceiling) first, before any other
          traffic. A single VoIP stream, depending upon codecs, after
-          encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
+          encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
-          little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
+          a little bit just in case. (TOS byte values 0xb8 and 0x68 are
-          classes EF and AFF3-1 respectively and are often used by VOIP
+          DiffServ classes EF and AFF3-1 respectively and are often used by
-          devices).</para>
+          VOIP devices).</para>
          <para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
          echo traffic if you use the example in tcrules) and any packet with
--- a/Shorewall6/manpages/shorewall6-tcdevices.xml
+++ b/Shorewall6/manpages/shorewall6-tcdevices.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tcdevices</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -151,8 +153,7 @@
          Beginning with Shorewall 4.4.25, a rate-estimated policing filter
          may be configured instead. Rate-estimated filters should be used
          with Ethernet adapters that have Generic Receive Offload enabled by
-          default. See <ulink
+          default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
          url="/FAQ.htm#faq97a">Shorewall FAQ
          97a</ulink>.</para>
          <para>To create a rate-estimated filter, precede the bandwidth with
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tcfilters</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-tcinterfaces.xml
+++ b/Shorewall6/manpages/shorewall6-tcinterfaces.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tcinterfaces</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,7 +27,8 @@
    <para>This file lists the interfaces that are subject to simple traffic
    shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
-    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+    <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
    <para>A note on the <emphasis>bandwidth</emphasis> definition used in this
    file:</para>
@ -161,8 +164,7 @@
          Beginning with Shorewall 4.4.25, a rate-estimated policing filter
          may be configured instead. Rate-estimated filters should be used
          with Ethernet adapters that have Generic Receive Offload enabled by
-          default. See <ulink
+          default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
          url="/FAQ.htm#faq97a">Shorewall FAQ
          97a</ulink>.</para>
          <para>To create a rate-estimated filter, precede the bandwidth with
--- a/Shorewall6/manpages/shorewall6-tcpri.xml
+++ b/Shorewall6/manpages/shorewall6-tcpri.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tcpri</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -25,12 +27,13 @@
    <para>This file is used to specify the priority band of traffic for simple
    traffic shaping (TC_ENABLED=Simple in <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The
-    of each packet is determined by the <emphasis role="bold">last</emphasis>
+    priority band of each packet is determined by the <emphasis
-    entry that the packet matches. If a packet doesn't match any entry in this
+    role="bold">last</emphasis> entry that the packet matches. If a packet
-    file, then its priority will be determined by its TOS field. The default
+    doesn't match any entry in this file, then its priority will be determined
-    mapping is as follows but can be changed by setting the TC_PRIOMAP option
+    by its TOS field. The default mapping is as follows but can be changed by
-    in <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+    setting the TC_PRIOMAP option in <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
 ------------------------------------------------------------
@ -131,8 +134,8 @@
        [<replaceable>helper</replaceable>]</term>
        <listitem>
-          <para>Optional. Names a Netfilter protocol helper module such as ftp,
+          <para>Optional. Names a Netfilter protocol helper module such as
-          sip, amanda, etc. A packet will match if it was accepted by the
+          ftp, sip, amanda, etc. A packet will match if it was accepted by the
          named helper module. You can also append "-" and a port number to
          the helper module name (e.g., ftp-21) to specify the port number
          that the original connection was made on.</para>
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@ -3,9 +3,11 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall6-mangle</refentrytitle>
+    <refentrytitle>shorewall6-tcrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -28,10 +30,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
+      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall6/providers be sure to read the restrictions at <ulink
@ -517,7 +519,8 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
+              <ulink
              url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
              (5).</para>
              <para>The following rules are equivalent:</para>
@ -529,8 +532,8 @@ INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
 INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2</programlisting>
              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
--- a/Shorewall6/manpages/shorewall6-template.xml
+++ b/Shorewall6/manpages/shorewall6-template.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -54,10 +56,11 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
    shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
-    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-tos.xml
+++ b/Shorewall6/manpages/shorewall6-tos.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tos</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-tunnels</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -27,8 +29,8 @@
    encrypted) traffic to pass between the Shorewall6 system and a remote
    gateway. Traffic flowing through the tunnel is handled using the normal
    zone/policy/rule mechanism. See <ulink
-    url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
+    url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
-    for details.</para>
+    details.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
@ -138,8 +140,8 @@
          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
          may be given. Exclusion (<ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
-          is not supported.</para>
+          (5) ) is not supported.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-vardir.xml
+++ b/Shorewall6/manpages/shorewall6-vardir.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -55,10 +57,11 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-zones.xml
+++ b/Shorewall6/manpages/shorewall6-zones.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6-zones</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -44,17 +46,17 @@
          "none", "SOURCE" and "DEST" are reserved and may not be used as zone
          names. The maximum length of a zone name is determined by the
          setting of the LOGFORMAT option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          default LOGFORMAT, zone names can be at most 5 characters
+          With the default LOGFORMAT, zone names can be at most 5 characters
          long.</para>
          <blockquote>
            <para>The maximum length of an iptables log prefix is 29 bytes. As
            explained in <ulink
-            url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the default
+            url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
-            LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
+            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
-            %s is replaced by the chain name and the second is replaced by the
+            where the first %s is replaced by the chain name and the second is
-            disposition.</para>
+            replaced by the disposition.</para>
            <itemizedlist>
              <listitem>
@ -95,8 +97,8 @@
          follow the (sub)zone name by ":" and a comma-separated list of the
          parent zones. The parent zones must have been declared in earlier
          records in this file. See <ulink
-          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
+          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
-          additional information.</para>
+          for additional information.</para>
          <para>Example:</para>
@ -108,8 +110,8 @@ c:a,b     ipv6</programlisting>
          <para>Currently, Shorewall6 uses this information to reorder the
          zone list so that parent zones appear after their subzones in the
          list. The IMPLICIT_CONTINUE option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can
-          create implicit CONTINUE policies to/from the subzone.</para>
+          also create implicit CONTINUE policies to/from the subzone.</para>
          <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
          explicitly included as a child of an <emphasis
@ -178,7 +180,8 @@ c:a,b     ipv6</programlisting>
              <listitem>
                <para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
                Linux-vserver guests. The zone contents must be defined in
-                <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
+                <ulink
                url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
                (5).</para>
                <para>Vserver zones are implicitly handled as subzones of the
@ -353,8 +356,8 @@ c:a,b     ipv6</programlisting>
              <listitem>
                <para>sets the MSS field in TCP packets. If you supply this
                option, you should also set FASTACCEPT=No in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
-                insure that both the SYN and SYN,ACK packets have their MSS
+                to insure that both the SYN and SYN,ACK packets have their MSS
                field adjusted.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -286,7 +288,8 @@
                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
-                  <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
+                  <ulink
                  url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
                  (5).</para>
                  <note>
@ -393,9 +396,10 @@
          packets that are UNTRACKED due to entries in <ulink
          url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
          This includes entries in the <ulink
-          url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
+          url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
-          and in the BLACKLIST section of <ulink
+          (5) file and in the BLACKLIST section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
          (5).</para>
          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
          role="bold">no</emphasis>, blacklists are consulted for every packet
@ -464,8 +468,8 @@
          /etc/shorewall6/tcstart file. That way, your traffic shaping rules
          can still use the “fwmark” classifier based on packet marking
          defined in <ulink
-          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
+          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
-          specified, CLEAR_TC=No is assumed.</para>
+          If not specified, CLEAR_TC=No is assumed.</para>
          <warning>
            <para>If you also run Shorewall and if you have
@ -861,11 +865,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>Subzones are defined by following their name with ":" and a
          list of parent zones (in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)).
-          you want to have a set of special rules for the subzone and if a
+          Normally, you want to have a set of special rules for the subzone
-          connection doesn't match any of those subzone-specific rules then
+          and if a connection doesn't match any of those subzone-specific
-          you want the parent zone rules and policies to be applied; see
+          rules then you want the parent zone rules and policies to be
-          <ulink url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
+          applied; see <ulink
          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -882,9 +887,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
-          separates column-oriented specifications on the left from <ulink
+          a semicolon separates column-oriented specifications on the left
-          url="/configuration_file_basics.htm#Pairs">alternative
+          from <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. If not specified or
@ -900,10 +905,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5). When a
+          url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5).
-          packet in INVALID state fails to match any rule in the INVALID
+          When a packet in INVALID state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          INVALID section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@ -915,8 +920,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
-          logged at this level. The default value is empty which means no
+          are logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
@ -1205,7 +1210,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <note>
            <para>The setting of LOGFORMAT has an effect of the permitted
            length of zone names. See <ulink
-            url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
+            url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
            (5).</para>
          </note>
        </listitem>
      </varlistentry>
@ -1373,8 +1379,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The performance of configurations with a large numbers of
          entries in <ulink
-          url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5) can be
+          url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5)
-          improved by setting the MACLIST_TTL variable in <ulink
+          can be improved by setting the MACLIST_TTL variable in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>If your iptables and kernel support the "Recent Match" (see
@ -1384,14 +1390,15 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>When a new connection arrives from a 'maclist' interface, the
          packet passes through then list of entries for that interface in
-          <ulink url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5). If
+          <ulink
-          there is a match then the source IP address is added to the 'Recent'
+          url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5).
-          set for that interface. Subsequent connection attempts from that IP
+          If there is a match then the source IP address is added to the
-          address occurring within $MACLIST_TTL seconds will be accepted
+          'Recent' set for that interface. Subsequent connection attempts from
-          without having to scan all of the entries. After $MACLIST_TTL from
+          that IP address occurring within $MACLIST_TTL seconds will be
-          the first accepted connection request from an IP address, the next
+          accepted without having to scan all of the entries. After
-          connection request from that IP address will be checked against the
+          $MACLIST_TTL from the first accepted connection request from an IP
-          entire list.</para>
+          address, the next connection request from that IP address will be
          checked against the entire list.</para>
          <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
          MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -1860,10 +1867,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
          section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
-          about the safety of this practice resulted in the addition of this
+          Concern about the safety of this practice resulted in the addition
-          option. When a packet in RELATED state fails to match any rule in
+          of this option. When a packet in RELATED state fails to match any
-          the RELATED section, the packet is disposed of based on this
+          rule in the RELATED section, the packet is disposed of based on this
          setting. The default value is ACCEPT for compatibility with earlier
          versions.</para>
        </listitem>
@ -1876,8 +1883,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
-          logged at this level. The default value is empty which means no
+          are logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
@ -2040,9 +2047,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. The default setting is DROP which
          causes smurf packets (see the nosmurfs option in <ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)) to
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
-          be dropped. A_DROP causes the packets to be audited prior to being
+          to be dropped. A_DROP causes the packets to be audited prior to
-          dropped and requires AUDIT_TARGET support in the kernel and
+          being dropped and requires AUDIT_TARGET support in the kernel and
          ip6tables.</para>
        </listitem>
      </varlistentry>
@ -2187,7 +2194,8 @@ INLINE          -       -       -       ; -j REJECT
          <filename>tcdevices</filename> and <filename>tcclasses</filename>
          files. This allows the compiler to have access to your Shorewall
          traffic shaping configuration so that it can validate CLASSIFY rules
-          in <ulink url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+          in <ulink
          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
          (5).</para>
          <warning>
@ -2222,12 +2230,12 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
          TOS field to priority bands. See <ulink
-          url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
+          url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5).
-          <emphasis>map</emphasis> consists of 16 space-separated digits with
+          The <emphasis>map</emphasis> consists of 16 space-separated digits
-          values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
+          with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0,
-          Linux priority 1, and 3 to Linux Priority 2. The first entry gives
+          2 to Linux priority 1, and 3 to Linux Priority 2. The first entry
-          the priority of TOS value 0, the second of TOS value 1, and so on.
+          gives the priority of TOS value 0, the second of TOS value 1, and so
-          See tc-prio(8) for additional information.</para>
+          on. See tc-prio(8) for additional information.</para>
          <para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
          2 2".</para>
@ -2273,8 +2281,8 @@ INLINE          -       -       -       ; -j REJECT
          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
          <option>track</option> option to be assumed on all providers defined
          in <ulink
-          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5). May
+          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).
-          be overridden on an individual provider through use of the
+          May be overridden on an individual provider through use of the
          <option>notrack</option> option. The default value is 'No'.</para>
          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@ -2286,14 +2294,15 @@ INLINE          -       -       -       ; -j REJECT
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
          those added for VPNs) to be effective. The <ulink
-          url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
+          url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-          created to provide a better alternative to clearing the packet mark.
+          file was created to provide a better alternative to clearing the
-          As a consequence, passing these packets to PREROUTING complicates
+          packet mark. As a consequence, passing these packets to PREROUTING
-          things without providing any real benefit. Beginning with Shorewall
+          complicates things without providing any real benefit. Beginning
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
-          through 'tracked' interfaces will not be passed to the PREROUTING
+          packets arriving through 'tracked' interfaces will not be passed to
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
-          change should be transparent to most, if not all, users.</para>
+          4.4.3, this change should be transparent to most, if not all,
          users.</para>
        </listitem>
      </varlistentry>
@ -2322,10 +2331,10 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
-          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          When a packet in UNTRACKED state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          UNTRACKED section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@ -2337,8 +2346,8 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
-          logged at this level. The default value is empty which means no
+          are logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@ -6,6 +6,8 @@
    <refentrytitle>shorewall6</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>
  <refnamediv>
@ -659,9 +661,9 @@
    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
    options are omitted, the amount of output is determined by the setting of
    the VERBOSITY parameter in <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each
-    role="bold">v</emphasis> adds one to the effective verbosity and each
+    <emphasis role="bold">v</emphasis> adds one to the effective verbosity and
-    <emphasis role="bold">q</emphasis> subtracts one from the effective
+    each <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
    followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
    There may be no white-space between <emphasis role="bold">v</emphasis> and
@ -701,10 +703,10 @@
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
-          single ipset to handle entries for multiple interfaces. When that
+          allows a single ipset to handle entries for multiple interfaces.
-          option is specified for a zone, the <command>add</command> command
+          When that option is specified for a zone, the <command>add</command>
-          has the alternative syntax in which the
+          command has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
@ -756,7 +758,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@ -822,7 +825,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@ -842,11 +846,11 @@
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
-          single ipset to handle entries for multiple interfaces. When that
+          allows a single ipset to handle entries for multiple interfaces.
-          option is specified for a zone, the <command>delete</command>
+          When that option is specified for a zone, the
-          command has the alternative syntax in which the
+          <command>delete</command> command has the alternative syntax in
-          <replaceable>zone</replaceable> name precedes the
+          which the <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@ -865,8 +869,8 @@
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command removes any routes added from <ulink
-          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
+          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
-          traffic shaping configuration for the interface.</para>
+          and any traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@ -912,8 +916,8 @@
          may be either the logical or physical name of the interface. The
          command sets <filename>/proc</filename> entries for the interface,
          adds any route specified in <ulink
-          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and
+          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
-          installs the interface's traffic shaping configuration, if
+          and installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
      </varlistentry>
@ -1032,7 +1036,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -1043,7 +1048,8 @@
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then discarded. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
      </varlistentry>
@ -1052,7 +1058,8 @@
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new Shorewall6 messages are logged.
          The <emphasis role="bold">-m</emphasis> option causes the MAC
          address of each packet source to be displayed if that information is
@ -1072,7 +1079,8 @@
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then rejected. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
      </varlistentry>
@ -1124,7 +1132,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
@ -1184,7 +1193,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -1229,9 +1239,9 @@
          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          <option>-f</option> and <option>-c </option>are present, the result
+          When both <option>-f</option> and <option>-c </option>are present,
-          is determined by the option that appears last.</para>
+          the result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
@ -1241,7 +1251,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -1445,8 +1456,8 @@
              <listitem>
                <para>Displays the last 20 Shorewall6 messages from the log
                file specified by the LOGFILE option in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-                <emphasis role="bold">-m</emphasis> option causes the MAC
+                The <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
              </listitem>
@ -1537,16 +1548,16 @@
          for configuration files. If <emphasis role="bold">-f</emphasis> is
          specified, the saved configuration specified by the RESTOREFILE
          option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
-          restored if that saved configuration exists and has been modified
+          will be restored if that saved configuration exists and has been
-          more recently than the files in /etc/shorewall6. When <emphasis
+          modified more recently than the files in /etc/shorewall6. When
-          role="bold">-f</emphasis> is given, a
+          <emphasis role="bold">-f</emphasis> is given, a
          <replaceable>directory</replaceable> may not be specified.</para>
          <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
          was added to <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          LEGACY_FASTSTART=No, the modification times of files in
+          When LEGACY_FASTSTART=No, the modification times of files in
          /etc/shorewall6 are compared with that of
          /var/lib/shorewall6/firewall (the compiled script that last
          started/restarted the firewall).</para>
@ -1557,9 +1568,9 @@
          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          <option>-f</option> and <option>-c </option>are present, the result
+          When both <option>-f</option> and <option>-c </option>are present,
-          is determined by the option that appears last.</para>
+          the result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
@ -1569,7 +1580,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -1581,9 +1593,9 @@
          listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          down. The only new traffic permitted through the firewall is from
+          are taken down. The only new traffic permitted through the firewall
-          systems listed in <ulink
+          is from systems listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
        </listitem>
@ -1652,13 +1664,15 @@
          <para>The <option>-b</option> option was added in Shorewall 4.4.26
          and causes legacy blacklisting rules (<ulink
-          url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
+          url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>
-          to be converted to entries in the blrules file (<ulink
+          (5) ) to be converted to entries in the blrules file (<ulink
-          url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
+          url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
-          blacklist keyword is removed from <ulink
+          (5) ). The blacklist keyword is removed from <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5),
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
+          <ulink
-          and <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
          (5) and <ulink
          url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
          The unmodified files are saved with a .bak suffix.</para>
          <para>The <option>-D</option> option was added in Shorewall 4.5.11.
@ -1672,7 +1686,8 @@
          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>