chains one cannot match on the bridge output port, however one can in the
.B "filter OUTPUT"
chain. If the packet won't leave by a bridge device or it is yet unknown what
-the output device will be, then the packet won't match this option, unless
-'!' is used.
+the output device will be, then the packet won't match this option,
+unless '!' is used.
.TP
.B --physdev-is-in
Matches if the packet has entered through a bridge interface.
.I ident
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
-.TP
+.RS
+.PP
(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
.SS SNAT
This target is only valid in the
entering the
.B FORWARD
chain.
-.PP The various forms of NAT have been separated out;
+.PP
+The various forms of NAT have been separated out;
.B iptables
is a pure packet filter when using the default `filter' table, with
optional extension modules. This should simplify much of the previous
--- /dev/null
+diff --git a/manual/iptables/original/man3/libipq.3 b/manual/iptables/original/man3/libipq.3
+index 1a0984d..a2dfbfb 100644
+--- a/manual/iptables/original/man3/libipq.3
++++ b/manual/iptables/original/man3/libipq.3
+@@ -48,9 +48,9 @@ and queued for userspace processing via the QUEUE target. For example,
+ running the following commands:
+ .PP
+ # modprobe iptable_filter
+-.br
++.br
+ # modprobe ip_queue
+-.br
++.br
+ # iptables -A OUTPUT -p icmp -j QUEUE
+ .PP
+ will cause any locally generated ICMP packets (e.g. ping output) to
+diff --git a/manual/iptables/original/man8/ip6tables-restore.8 b/manual/iptables/original/man8/ip6tables-restore.8
+index 43c1268..55e82ce 100644
+--- a/manual/iptables/original/man8/ip6tables-restore.8
++++ b/manual/iptables/original/man8/ip6tables-restore.8
+@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file
+ restore the values of all packet and byte counters
+ .TP
+ \fB\-n\fR, \fB\-\-noflush\fR
+-.TP
+ don't flush the previous contents of the table. If not specified,
+ .B ip6tables-restore
+ flushes (deletes) all previous contents of the respective IPv6 Table.
+diff --git a/manual/iptables/original/man8/ip6tables-save.8 b/manual/iptables/original/man8/ip6tables-save.8
+index c8b3e96..48c70a6 100644
+--- a/manual/iptables/original/man8/ip6tables-save.8
++++ b/manual/iptables/original/man8/ip6tables-save.8
+@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+ include the current values of all packet and byte counters in the output
+ .TP
+ \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+-.TP
+ restrict output to only one table. If not specified, output includes all
+ available tables.
+ .SH BUGS
+diff --git a/manual/iptables/original/man8/iptables-restore.8 b/manual/iptables/original/man8/iptables-restore.8
+index e2649e5..e80d943 100644
+--- a/manual/iptables/original/man8/iptables-restore.8
++++ b/manual/iptables/original/man8/iptables-restore.8
+@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file
+ restore the values of all packet and byte counters
+ .TP
+ \fB\-n\fR, \fB\-\-noflush\fR
+-.TP
+ don't flush the previous contents of the table. If not specified,
+ .B iptables-restore
+ flushes (deletes) all previous contents of the respective IP Table.
+diff --git a/manual/iptables/original/man8/iptables-save.8 b/manual/iptables/original/man8/iptables-save.8
+index f9c7d65..152e4db 100644
+--- a/manual/iptables/original/man8/iptables-save.8
++++ b/manual/iptables/original/man8/iptables-save.8
+@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+ include the current values of all packet and byte counters in the output
+ .TP
+ \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+-.TP
+ restrict output to only one table. If not specified, output includes all
+ available tables.
+ .SH BUGS
+diff --git a/manual/iptables/original/man8/iptables.8 b/manual/iptables/original/man8/iptables.8
+index b79f1ec..258fce3 100644
+--- a/manual/iptables/original/man8/iptables.8
++++ b/manual/iptables/original/man8/iptables.8
+@@ -589,8 +589,8 @@ interface which begins with this name will match. Note that in the
+ chains one cannot match on the bridge output port, however one can in the
+ .B "filter OUTPUT"
+ chain. If the packet won't leave by a bridge device or it is yet unknown what
+-the output device will be, then the packet won't match this option, unless
+-'!' is used.
++the output device will be, then the packet won't match this option,
++unless '!' is used.
+ .TP
+ .B --physdev-is-in
+ Matches if the packet has entered through a bridge interface.
+@@ -883,7 +883,8 @@ TCP RST packet to be sent back. This is mainly useful for blocking
+ .I ident
+ (113/tcp) probes which frequently occur when sending mail to broken mail
+ hosts (which won't accept your mail otherwise).
+-.TP
++.RS
++.PP
+ (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
+ .SS SNAT
+ This target is only valid in the
+@@ -1021,7 +1022,8 @@ refers to the output interface, and both are available for packets
+ entering the
+ .B FORWARD
+ chain.
+-.PP The various forms of NAT have been separated out;
++.PP
++The various forms of NAT have been separated out;
+ .B iptables
+ is a pure packet filter when using the default `filter' table, with
+ optional extension modules. This should simplify much of the previous