ipfw(8): Bugfixes for some issues reported by mandoc

- whitespace at end of input line
- new sentence, new line
- skipping paragraph macro: Pp before Pp

MFC after:	1 week

sbin/ipfw/ipfw.8

@@ -527,9 +527,9 @@ ipfw add 10 skipto 4000 all from any to any layer2 out
 ether_demux and bdg_forward).
 .Pp
 Also note that only actions
-.Cm allow,
-.Cm deny,
-.Cm netgraph,
+.Cm allow ,
+.Cm deny ,
+.Cm netgraph ,
 .Cm ngtee
 and related to
 .Cm dummynet
@@ -682,7 +682,7 @@ to simulate the effect of multiple paths leading to out-of-order
 packet delivery.
 .Pp
 Note: this condition is checked before any other condition, including
-ones such as 
+ones such as
 .Cm keep-state
 or
 .Cm check-state
@@ -991,7 +991,8 @@ It is possible to use the
 .Cm tablearg
 keyword with a skipto for a
 .Em computed
-skipto. Skipto may work either in O(log(N)) or in O(1) depending
+skipto.
+Skipto may work either in O(log(N)) or in O(1) depending
 on amount of memory and/or sysctl variables.
 See the
 .Sx SYSCTL VARIABLES
@@ -1454,7 +1455,7 @@ or a hostname)
 and the mask of
 .Ar mask ,
 specified as allowed by
-.Xr inet_pton.
+.Xr inet_pton .
 As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match
 fe:*:*:*:0:640:*:*.
 This form is advised only for non-contiguous
@@ -1528,7 +1529,8 @@ Alias for
 .Cm layer2 .
 .It Cm defer-immediate-action | defer-action
 A rule with this option will not perform normal action
-upon a match. This option is intended to be used with
+upon a match.
+This option is intended to be used with
 .Cm record-state
 or
 .Cm keep-state
@@ -1539,8 +1541,9 @@ Rules with both
 and
 .Cm defer-immediate-action
 create a dynamic rule and continue with the next rule without actually
-performing the action part of this rule. When the rule is later activated
-via the state table, the action is performed as usual.
+performing the action part of this rule.
+When the rule is later activated via the state table, the action is
+performed as usual.
 .It Cm diverted
 Matches only packets generated by a divert socket.
 .It Cm diverted-loopback
@@ -1604,7 +1607,7 @@ Matches IPv6 packets containing any of the flow labels given in
 is a comma separated list of numeric flow labels.
 .It Cm frag Ar spec
 Matches IPv4 packets whose
-.Cm ip_off 
+.Cm ip_off
 field contains the comma separated list of IPv4 fragmentation
 options specified in
 .Ar spec .
@@ -1793,7 +1796,8 @@ packet is found.
 The
 .Ar :flowname
 is used to assign additional to addresses, ports and protocol parameter
-to dynamic rule. It can be used for more accurate matching by
+to dynamic rule.
+It can be used for more accurate matching by
 .Cm check-state
 rule.
 The
@@ -2212,8 +2216,8 @@ One or more entries can be added to a table at once using
 command.
 Addition of all items are performed atomically.
 By default, error in addition of one entry does not influence
-addition of other entries. However, non-zero error code is returned
-in that case.
+addition of other entries.
+However, non-zero error code is returned in that case.
 Special
 .Cm atomic
 keyword may be specified before
@@ -2224,8 +2228,8 @@ One or more entries can be removed from a table at once using
 .Cm delete
 command.
 By default, error in removal of one entry does not influence
-removing of other entries. However, non-zero error code is returned
-in that case.
+removing of other entries.
+However, non-zero error code is returned in that case.
 .Pp
 It may be possible to check what entry will be found on particular
 .Ar table-key
@@ -2983,10 +2987,12 @@ and
 are integer numbers specifying thresholds for queue management
 (thresholds are computed in bytes if the queue has been defined
 in bytes, in slots otherwise).
-The two parameters can also be of the same value if needed. The
+The two parameters can also be of the same value if needed.
+The
 .Nm dummynet
 also supports the gentle RED variant (gred) and ECN (Explicit Congestion
-Notification) as optional. Three
+Notification) as optional.
+Three
 .Xr sysctl 8
 variables can be used to control the RED behaviour:
 .Bl -tag -width indent
@@ -3266,7 +3272,7 @@ Skip instance in case of global state lookup (see below).
 .El
 .Pp
 Some specials value can be supplied instead of
-.Va nat_number:
+.Va nat_number :
 .Bl -tag -width indent
 .It Cm global
 Looks up translation state in all configured nat instances.
@@ -3370,7 +3376,7 @@ Thus translator host should be configured as IPv4 and IPv6 router.
 Also this means, that a packet is handled by firewall twice.
 First time an original packet is handled and consumed by translator,
 and then it is handled again as translated packet.
-This behavior can be changed by sysctl variable 
+This behavior can be changed by sysctl variable
 .Va net.inet.ip.fw.nat64_direct_output .
 Also translated packet can be tagged using
 .Cm tag
@@ -3400,7 +3406,8 @@ in the states table will be dropped by translator.
 Make sure that translation rules handle packets, destined to configured prefix.
 .It Cm prefix6 Ar ipv6_prefix/length
 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64.
+to represent IPv4 addresses.
+This IPv6 prefix should be configured in DNS64.
 The translator implementation follows RFC6052, that restricts the length of
 prefixes to one of following: 32, 40, 48, 56, 64, or 96.
 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
@@ -3475,9 +3482,9 @@ you are able to see each handled packet before and after translation.
 .It Cm -log
 Turn off logging of all handled packets via BPF.
 .It Cm allow_private
-Turn on processing private IPv4 addresses. By default IPv6 packets with
-destinations mapped to private address ranges defined by RFC1918 are not
-processed.
+Turn on processing private IPv4 addresses.
+By default IPv6 packets with destinations mapped to private address ranges
+defined by RFC1918 are not processed.
 .It Cm -allow_private
 Turn off private address handling in
 .Nm nat64
@@ -3493,7 +3500,6 @@ To inspect a states table of stateful NAT64 the following command can be used:
 .Ek
 .Ed
 .Pp
-.Pp
 Stateless NAT64 translator doesn't use a states table for translation
 and converts IPv4 addresses to IPv6 and vice versa solely based on the
 mappings taken from configured lookup tables.
@@ -3514,7 +3520,8 @@ The following parameters can be configured:
 .Bl -tag -width indent
 .It Cm prefix6 Ar ipv6_prefix/length
 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64.
+to represent IPv4 addresses.
+This IPv6 prefix should be configured in DNS64.
 .It Cm table4 Ar table46
 The lookup table
 .Ar table46
@@ -3530,9 +3537,9 @@ interface.
 .It Cm -log
 Turn off logging of all handled packets via BPF.
 .It Cm allow_private
-Turn on processing private IPv4 addresses. By default IPv6 packets with
-destinations mapped to private address ranges defined by RFC1918 are not
-processed.
+Turn on processing private IPv4 addresses.
+By default IPv6 packets with destinations mapped to private address ranges
+defined by RFC1918 are not processed.
 .It Cm -allow_private
 Turn off private address handling in
 .Nm nat64
@@ -3544,12 +3551,12 @@ packets differs from stateful translator.
 If corresponding addresses was not found in the lookup tables, the packet
 will not be dropped and the search continues.
 .Pp
-.Pp
 .Ss XLAT464 CLAT translation
 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
 defined in RFC6877 and is very similar to statless NAT64 translator
-explained above. Instead of lookup tables it uses one-to-one mapping
-between IPv4 and IPv6 addresses using configured prefixes.
+explained above.
+Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
+addresses using configured prefixes.
 This mode can be used as a replacement of DNS64 service for applications
 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
 over IPv6-only networks with help of remote NAT64 translator.
@@ -3571,8 +3578,8 @@ The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
 to represent source IPv4 addresses.
 .It Cm plat_prefix Ar ipv6_prefix/length
 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent destination IPv4 addresses. This IPv6 prefix should be configured
-on a remote NAT64 translator.
+to represent destination IPv4 addresses.
+This IPv6 prefix should be configured on a remote NAT64 translator.
 .It Cm log
 Turn on logging of all handled packets via BPF through
 .Ar ipfwlog0
@@ -3580,7 +3587,8 @@ interface.
 .It Cm -log
 Turn off logging of all handled packets via BPF.
 .It Cm allow_private
-Turn on processing private IPv4 addresses. By default
+Turn on processing private IPv4 addresses.
+By default
 .Nm nat64clat
 instance will not process IPv4 packets with destination address from private
 ranges as defined in RFC1918.
@@ -3632,7 +3640,8 @@ and
 .Cm ext_if
 options are mutually exclusive.
 .It Cm prefixlen Ar length
-The length of specified IPv6 prefixes. It must be in range from 8 to 64.
+The length of specified IPv6 prefixes.
+It must be in range from 8 to 64.
 .El
 .Pp
 Note that the prefix translation rules are silently ignored when IPv6 packet
@@ -4086,7 +4095,7 @@ Controls the output method used by
 module:
 .Bl -tag -width indent
 .It Cm 0
-A packet is handled by 
+A packet is handled by
 .Nm ipfw
 twice.
 First time an original packet is handled by
@@ -4277,11 +4286,11 @@ ruleset to minimize the amount of work scanning the ruleset.
 Your mileage may vary.
 .Pp
 For more complex scenarios with dynamic rules
-.Cm record-state 
+.Cm record-state
 and
 .Cm defer-action
 can be used to precisely control creation and checking of dynamic rules.
-Example of usage of these options are provided in 
+Example of usage of these options are provided in
 .Sx NETWORK ADDRESS TRANSLATION (NAT)
 Section.
 .Pp
@@ -4552,21 +4561,24 @@ or it could be split in:
 .Dl "ipfw nat 5 config redirect_port tcp"
 .Dl "			192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500"
 .Pp
-Sometimes you may want to mix NAT and dynamic rules. It could be achieved with
+Sometimes you may want to mix NAT and dynamic rules.
+It could be achieved with
 .Cm record-state
 and
 .Cm defer-action
-options. Problem is, you need to create dynamic rule before NAT and check it
+options.
+Problem is, you need to create dynamic rule before NAT and check it
 after NAT actions (or vice versa) to have consistent addresses and ports.
 Rule with
 .Cm keep-state
 option will trigger activation of existing dynamic state, and action of such
-rule will be performed as soon as rule is matched. In case of NAT and
+rule will be performed as soon as rule is matched.
+In case of NAT and
 .Cm allow
 rule packet need to be passed to NAT, not allowed as soon is possible.
 .Pp
-There is example of set of rules to achieve this. Bear in mind that this
-is example only and it is not very useful by itself.
+There is example of set of rules to achieve this.
+Bear in mind that this is example only and it is not very useful by itself.
 .Pp
 On way out, after all checks place this rules:
 .Pp
@@ -4579,10 +4591,11 @@ And on way in there should be something like this:
 .Dl "ipfw add check-state"
 .Pp
 Please note, that first rule on way out doesn't allow packet and doesn't
-execute existing dynamic rules. All it does, create new dynamic rule with
+execute existing dynamic rules.
+All it does, create new dynamic rule with
 .Cm allow
-action, if it is not created yet. Later, this dynamic rule is used on way
-in by
+action, if it is not created yet.
+Later, this dynamic rule is used on way in by
 .Cm check-state
 rule.
 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
@@ -4593,7 +4606,7 @@ AQM can be configured for
 .Nm dummynet
 .Cm pipe
 or
-.Cm queue.
+.Cm queue .
 .Pp
 To configure a
 .Cm pipe
@@ -4665,7 +4678,7 @@ to 10ms, we do:
 .Dl "ipfw sched 1 config pipe 1 type fq_codel target 10ms noecn"
 .Pp
 Similar to
-.Cm fq_codel,
+.Cm fq_codel ,
 to configure
 .Cm fq_pie
 scheduler using different configurations parameters for traffic from