Markup fixes.

24 files changed, 531 insertions, 313 deletions

diff --git a/usr.sbin/adduser/adduser.8 b/usr.sbin/adduser/adduser.8
index 018c164..fdb6b4c 100644
--- a/usr.sbin/adduser/adduser.8
+++ b/usr.sbin/adduser/adduser.8
@@ -66,8 +66,8 @@ The user name is restricted to whatever
 .Xr pw 8
 will accept.
 Generally this means it
-may contain only lowercase characters or digits but cannot begin with
-.Sq Fl
+may contain only lowercase characters or digits but cannot begin with the
+.Ql -
 character.
 Maximum length
 is 16 characters.
diff --git a/usr.sbin/arp/arp.4 b/usr.sbin/arp/arp.4
index 0427000..57eadff 100644
--- a/usr.sbin/arp/arp.4
+++ b/usr.sbin/arp/arp.4
@@ -133,18 +133,17 @@ the loopback interface.
 Enables ARP proxying for all hosts on net.
 .El
 .Sh DIAGNOSTICS
-.Em "arp: %x:%x:%x:%x:%x:%x is using my IP address %d.%d.%d.%d!" :
+.Bl -diag
+.It "arp: %x:%x:%x:%x:%x:%x is using my IP address %d.%d.%d.%d!"
 ARP has discovered another host on the local network which responds to
 mapping requests for its own Internet address with a different Ethernet
 address, generally indicating that two hosts are attempting to use the
 same Internet address.
-.Pp
-.Em "arp: link address is broadcast for IP address %d.%d.%d.%d!" :
+.It "arp: link address is broadcast for IP address %d.%d.%d.%d!"
 ARP requested information for a host, and received an answer indicating
 that the host's ethernet address is the ethernet broadcast address.
 This indicates a misconfigured or broken device.
-.Pp
-.Em "arp: %d.%d.%d.%d moved from %x:%x:%x:%x:%x:%x to %x:%x:%x:%x:%x:%x on %s" :
+.It "arp: %d.%d.%d.%d moved from %x:%x:%x:%x:%x:%x to %x:%x:%x:%x:%x:%x on %s"
 ARP had a cached value for the ethernet address of the referenced host,
 but received a reply indicating that the host is at a new address.
 This can happen normally when host hardware addresses change,
@@ -153,15 +152,13 @@ It can also indicate a problem with proxy ARP.
 This message can only be issued if the sysctl
 .Va net.link.ether.inet.log_arp_movements
 is set to 1, which is the system's default behaviour.
-.Pp
-.Em "arpresolve: can't allocate llinfo for %d.%d.%d.%d" :
+.It "arpresolve: can't allocate llinfo for %d.%d.%d.%d"
 The route for the referenced host points to a device upon which ARP is
 required, but ARP was unable to allocate a routing table entry in which
 to store the host's MAC address.
 This usually points to a misconfigured routing table.
 It can also occur if the kernel cannot allocate memory.
-.Pp
-.Em "arp: %d.%d.%d.%d is on if0 but got reply from %x:%x:%x:%x:%x:%x on if1" :
+.It "arp: %d.%d.%d.%d is on if0 but got reply from %x:%x:%x:%x:%x:%x on if1"
 Physical connections exist to the same logical IP network on both if0 and if1.
 It can also occur if an entry already exists in the ARP cache for the IP
 address above, and the cable has been disconnected from if0, then reconnected
@@ -169,13 +166,13 @@ to if1.
 This message can only be issued if the sysctl
 .Va net.link.ether.inet.log_arp_wrong_iface
 is set to 1, which is the system's default behaviour.
-.Pp
-.Em "arp: %x:%x:%x:%x:%x:%x attempts to modify permanent entry for %d.%d.%d.%d on %s" :
+.It "arp: %x:%x:%x:%x:%x:%x attempts to modify permanent entry for %d.%d.%d.%d on %s"
 ARP has received an ARP reply that attempts to overwrite a permanent
-antry in the local ARP table.
-This error will be only logged, if the sysctl
+entry in the local ARP table.
+This error will only be logged if the sysctl
 .Va net.link.ether.inet.log_arp_permanent_modify
 is set to 1, which is the system's default behaviour.
+.El
 .Sh SEE ALSO
 .Xr inet 4 ,
 .Xr route 4 ,
diff --git a/usr.sbin/asf/asf.8 b/usr.sbin/asf/asf.8
index 649fac1..2525c3a 100644
--- a/usr.sbin/asf/asf.8
+++ b/usr.sbin/asf/asf.8
@@ -43,7 +43,7 @@ By default,
 reads
 .Xr kldstat 8
 output from standard input and writes to the
-.Pa \&.asf
+.Pa .asf
 file a list of
 .Xr gdb 1
 commands to add symbol files from KLDs in subdirectories of the subdirectory
@@ -73,7 +73,7 @@ writes to it instead of
 If
 .Ar outfile
 is a single dash
-.Pq Sq \&- ,
+.Pq Sq Fl ,
 the standard output is used.
 .Sh OPTIONS
 The following options modify the function of
@@ -114,7 +114,7 @@ to write or append its output to.
 If
 .Ar outfile
 is a single dash
-.Pq Sq \&- ,
+.Pq Sq Fl ,
 the standard output is used.
 .It Fl s
 Do not prepend a (guessed) subdirectory of the module path.
diff --git a/usr.sbin/crunch/crunchgen/crunchgen.1 b/usr.sbin/crunch/crunchgen/crunchgen.1
index 720c102..b7313b9 100644
--- a/usr.sbin/crunch/crunchgen/crunchgen.1
+++ b/usr.sbin/crunch/crunchgen/crunchgen.1
@@ -433,7 +433,7 @@ At this point the binary
 can be copied onto an install floppy
 and hard-linked to the names of the component programs.
 .Pp
-Note that if the 
+Note that if the
 .Ic libs_so
 command had been used, copies of the libraries so named
 would also need to be copied to the install floppy.
@@ -460,6 +460,7 @@ The
 must then be used to get those object files built, or
 some other arrangements made.
 .Sh AUTHORS
+.An -nosplit
 The
 .Nm
 utility was written by
@@ -468,7 +469,7 @@ utility was written by
 Copyright (c) 1994 University of Maryland.
 All Rights Reserved.
 .Pp
-The 
+The
 .Ic libs_so
 keyword was added in 2005 by
 .An Adrian Steinmann Aq ast@marabu.ch
diff --git a/usr.sbin/iostat/iostat.8 b/usr.sbin/iostat/iostat.8
index 8aeb833..e7ceb62 100644
--- a/usr.sbin/iostat/iostat.8
+++ b/usr.sbin/iostat/iostat.8
@@ -70,7 +70,7 @@
 statistics
 .Sh SYNOPSIS
 .Nm
-.Op Fl CdhKIoTxz?\&
+.Op Fl CdhIKoTxz?\&
 .Op Fl c Ar count
 .Op Fl M Ar core
 .Op Fl n Ar devs
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 7085fa6..748a677 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -56,7 +56,9 @@ The options are as follows:
 .It Fl i
 Output the jail identifier of the newly created jail.
 .It Fl J Ar jid_file
-Write a JidFile, like a PidFile, containing jailid, path, hostname, ip and
+Write a
+.Ar jid_file
+file, containing jail identifier, path, hostname, IP and
 command used to start the jail.
 .It Fl l
 Run program in the clean environment.
@@ -75,9 +77,9 @@ is imported from the current environment.
 The environment variables from the login class capability database for the
 target login are also set.
 .It Fl s Ar securelevel
-Sets 
-.Va kern.securelevel 
-to the specified value inside the newly created jail.
+Sets the
+.Va kern.securelevel
+sysctl variable to the specified value inside the newly created jail.
 .It Fl u Ar username
 The user name from host environment as whom the
 .Ar command
@@ -141,7 +143,7 @@ See
 .Xr devfs 8
 for information on how to use devfs rules to limit access to entries
 in the per-jail devfs.
-A simple devfs ruleset for jails is available as ruleset #4 in 
+A simple devfs ruleset for jails is available as ruleset #4 in
 .Pa /etc/defaults/devfs.rules .
 .Pp
 In many cases this example would put far more in the jail than needed.
@@ -546,14 +548,14 @@ constraints on
 .Va kern.securelevel .
 .El
 .Pp
-The read-only
+The read-only sysctl variable
 .Va security.jail.jailed
-variable can be used to determine if a process is running inside a jail (value
+can be used to determine if a process is running inside a jail (value
 is one) or not (value is zero).
 .Pp
 The
-.Va security.jail.list 
-MIB entry is read-only and it returns an array of 
+.Va security.jail.list
+MIB entry is read-only and it returns an array of
 .Vt "struct xprison"
 defined in
 .In sys/jail.h .
diff --git a/usr.sbin/jexec/jexec.8 b/usr.sbin/jexec/jexec.8
index 0677ff0..7dbdffe 100644
--- a/usr.sbin/jexec/jexec.8
+++ b/usr.sbin/jexec/jexec.8
@@ -53,6 +53,7 @@ should run.
 The user name from jailed environment as whom the
 .Ar command
 should run.
+.El
 .Sh SEE ALSO
 .Xr jail_attach 2 ,
 .Xr jail 8 ,
diff --git a/usr.sbin/kbdcontrol/kbdcontrol.1 b/usr.sbin/kbdcontrol/kbdcontrol.1
index 95bb0c1..6b8e5c5 100644
--- a/usr.sbin/kbdcontrol/kbdcontrol.1
+++ b/usr.sbin/kbdcontrol/kbdcontrol.1
@@ -243,18 +243,15 @@ To switch back to the default keyboard, use this command.
 .Dl kbdcontrol -k /dev/kbd0
 .Pp
 To allow using both the second USB keyboard and the first AT keyboard
-at the same time on console via
+at the same time on console via the
 .Xr kbdmux 4
-driver use the following sequence of commands.
-.Pp
-.Dl kbdcontrol -K < /dev/console
-.Pp
-.Dl kbdcontrol -a atkbd0 < /dev/kbdmux0
-.Pp
-.Dl kbdcontrol -a ukbd1 < /dev/kbdmux0
-.Pp
-.Dl kbdcontrol -k /dev/kbdmux0 < /dev/console
-.Pp
+driver, use the following sequence of commands.
+.Bd -literal -offset indent
+kbdcontrol -K < /dev/console
+kbdcontrol -a atkbd0 < /dev/kbdmux0
+kbdcontrol -a ukbd1 < /dev/kbdmux0
+kbdcontrol -k /dev/kbdmux0 < /dev/console
+.Ed
 .Sh SEE ALSO
 .Xr kbdmap 1 ,
 .Xr vidcontrol 1 ,
diff --git a/usr.sbin/mailwrapper/mailwrapper.8 b/usr.sbin/mailwrapper/mailwrapper.8
index 779fbba..587826b 100644
--- a/usr.sbin/mailwrapper/mailwrapper.8
+++ b/usr.sbin/mailwrapper/mailwrapper.8
@@ -133,9 +133,7 @@ is typically set up as a symbolic link to
 .Nm
 which is not usually invoked on its own.
 .Sh EXIT STATUS
-The
-.Nm
-exits 0 on success, and \*[Gt]0 if an error occurs.
+.Ex -std
 .Sh DIAGNOSTICS
 The
 .Nm
diff --git a/usr.sbin/moused/moused.8 b/usr.sbin/moused/moused.8
index f635a15..4b2138d 100644
--- a/usr.sbin/moused/moused.8
+++ b/usr.sbin/moused/moused.8
@@ -89,14 +89,17 @@ data to the device so that the user program will see it.
 .Pp
 If the mouse daemon receives the signal
 .Dv SIGHUP ,
-it will reopen the mouse port and reinitialize itself. Useful if
+it will reopen the mouse port and reinitialize itself.
+Useful if
 the mouse is attached/detached while the system is suspended.
 .Pp
 If the mouse daemon receives the signal
 .Dv SIGUSR1 ,
-it will stop passing mouse events. Sending the signal
-.Dv SIGUSR1 
-again will resume passing mouse events. Useful if your typing on a laptop is
+it will stop passing mouse events.
+Sending the signal
+.Dv SIGUSR1
+again will resume passing mouse events.
+Useful if your typing on a laptop is
 interrupted by accidentally touching the mouse pad.
 .Pp
 The following options are available:
@@ -613,11 +616,11 @@ protocol.
 To test if the selected protocol type is correct for the given mouse,
 enable the mouse pointer in the current virtual console,
 .Pp
-.Dl vidcontrol -m on
+.Dl "vidcontrol -m on"
 .Pp
 start the mouse daemon in the foreground mode,
 .Pp
-.Dl moused -f -p Ar _selected_port_ -t Ar _selected_protocol_
+.Dl "moused -f -p <selected_port> -t <selected_protocol>"
 .Pp
 and see if the mouse pointer travels correctly
 according to the mouse movement.
@@ -668,7 +671,7 @@ utility
 UNIX-domain stream socket for X10 MouseRemote events
 .El
 .Sh EXAMPLES
-.Dl moused -p /dev/cuad0 -i type
+.Dl "moused -p /dev/cuad0 -i type"
 .Pp
 Let the
 .Nm
@@ -676,9 +679,10 @@ utility determine the protocol type of the mouse at the serial port
 .Pa /dev/cuad0 .
 If successful, the command will print the type, otherwise it will say
 .Dq Li unknown .
-.Pp
-.Dl moused -p /dev/cuad0
-.Dl vidcontrol -m on
+.Bd -literal -offset indent
+moused -p /dev/cuad0
+vidcontrol -m on
+.Ed
 .Pp
 If the
 .Nm
@@ -686,9 +690,10 @@ utility is able to identify the protocol type of the mouse at the specified
 port automatically, you can start the daemon without the
 .Fl t
 option and enable the mouse pointer in the text console as above.
-.Pp
-.Dl moused -p /dev/mouse -t microsoft
-.Dl vidcontrol -m on
+.Bd -literal -offset indent
+moused -p /dev/mouse -t microsoft
+vidcontrol -m on
+.Ed
 .Pp
 Start the mouse daemon on the serial port
 .Pa /dev/mouse .
@@ -698,27 +703,27 @@ is explicitly specified by the
 .Fl t
 option.
 .Pp
-.Dl moused -p /dev/mouse -m 1=3 -m 3=1
+.Dl "moused -p /dev/mouse -m 1=3 -m 3=1"
 .Pp
 Assign the physical button 3 (right button) to the logical button 1
 (logical left) and the physical button 1 (left) to the logical
 button 3 (logical right).
 This will effectively swap the left and right buttons.
 .Pp
-.Dl moused -p /dev/mouse -t intellimouse -z 4
+.Dl "moused -p /dev/mouse -t intellimouse -z 4"
 .Pp
 Report negative Z axis movement (i.e., mouse wheel) as the button 4 pressed
 and positive Z axis movement (i.e., mouse wheel) as the button 5 pressed.
 .Pp
 If you add
 .Pp
-.Dl ALL ALL = NOPASSWD: /usr/bin/killall -USR1 moused
+.Dl "ALL ALL = NOPASSWD: /usr/bin/killall -USR1 moused"
 .Pp
 to your
 .Pa /usr/local/etc/sudoers
 file, and bind
 .Pp
-.Dl killall -USR1 moused
+.Dl "killall -USR1 moused"
 .Pp
 to a key in your window manager, you can suspend mouse events on your laptop if
 you keep brushing over the mouse pad while typing.
diff --git a/usr.sbin/mtree/mtree.8 b/usr.sbin/mtree/mtree.8
index 1ee6be3..fba53a1 100644
--- a/usr.sbin/mtree/mtree.8
+++ b/usr.sbin/mtree/mtree.8
@@ -28,7 +28,7 @@
 .\"     From: @(#)mtree.8	8.2 (Berkeley) 12/11/93
 .\" $FreeBSD$
 .\"
-.Dd July 03, 2006
+.Dd July 3, 2006
 .Dt MTREE 8
 .Os
 .Sh NAME
diff --git a/usr.sbin/newsyslog/newsyslog.conf.5 b/usr.sbin/newsyslog/newsyslog.conf.5
index e848d69..2cbbb66 100644
--- a/usr.sbin/newsyslog/newsyslog.conf.5
+++ b/usr.sbin/newsyslog/newsyslog.conf.5
@@ -21,7 +21,7 @@
 .\" the suitability of this software for any purpose.  It is
 .\" provided "as is" without express or implied warranty.
 .\"
-.Dd June 3, 2004
+.Dd July 21, 2006
 .Dt NEWSYSLOG.CONF 5
 .Os
 .Sh NAME
diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5
index e1d5d7a..c1df2a2 100644
--- a/usr.sbin/ntp/doc/ntp.conf.5
+++ b/usr.sbin/ntp/doc/ntp.conf.5
@@ -271,7 +271,8 @@ described in
 .Sx Authentication Options .
 .It Cm burst
 when the server is reachable, send a burst of eight packets
-instead of the usual one. The packet spacing is normally 2 s;
+instead of the usual one.
+The packet spacing is normally 2 s;
 however, the spacing between the first and second packets
 can be changed with the calldelay command to allow
 additional time for a modem or ISDN call to complete.
@@ -281,7 +282,8 @@ with the
 command and s addresses.
 .It Cm iburst
 When the server is unreachable, send a burst of eight packets
-instead of the usual one. The packet spacing is normally 2 s;
+instead of the usual one.
+The packet spacing is normally 2 s;
 however, the spacing between the first two packets can be
 changed with the calldelay command to allow
 additional time for a modem or ISDN call to complete.
@@ -412,7 +414,8 @@ based on public key cryptography.
 Public key cryptography is generally considered more secure
 than symmetric key cryptography, since the security is based
 on a private value which is generated by each server and
-never revealed. With Autokey all key distribution and
+never revealed.
+With Autokey all key distribution and
 management functions involve only public values, which
 considerably simplifies key distribution and storage.
 Public key management is based on X.509 certificates,
@@ -423,7 +426,8 @@ or the NTPv4 distribution.
 While the algorithms for symmetric key cryptography are
 included in the NTPv4 distribution, public key cryptography
 requires the OpenSSL software library to be installed
-before building the NTP distribution. Directions for doing that
+before building the NTP distribution.
+Directions for doing that
 are on the Building and Installing the Distribution page.
 .Pp
 Authentication is configured separately for each association
@@ -447,12 +451,15 @@ and the interval between various operations, if other than default.
 .Pp
 Authentication is always enabled,
 although ineffective if not configured as
-described below. If a NTP packet arrives
+described below.
+If a NTP packet arrives
 including a message authentication
 code (MAC), it is accepted only if it
-passes all cryptographic checks. The
+passes all cryptographic checks.
+The
 checks require correct key ID, key value
-and message digest. If the packet has
+and message digest.
+If the packet has
 been modified in any way or replayed
 by an intruder, it will fail one or more
 of these checks and be discarded.
@@ -481,13 +488,15 @@ authenticated using either symmetric key or public key cryptography.
 If this
 flag is disabled, these operations are effective
 even if not cryptographic
-authenticated. It should be understood
+authenticated.
+It should be understood
 that operating with the
 .Ic auth
 flag disabled invites a significant vulnerability
 where a rogue hacker can
 masquerade as a falseticker and seriously
-disrupt system timekeeping. It is
+disrupt system timekeeping.
+It is
 important to note that this flag has no purpose
 other than to allow or disallow
 a new association in response to new broadcast
@@ -522,7 +531,8 @@ The original RFC-1305 specification allows any one of possibly
 authenticate an association.
 The servers and clients involved must
 agree on the key and key identifier to
-authenticate NTP packets. Keys and
+authenticate NTP packets.
+Keys and
 related information are specified in a key
 file, usually called
 .Pa ntp.keys ,
@@ -541,17 +551,20 @@ When
 is first started, it reads the key file specified in the
 .Ic keys
 configuration command and installs the keys
-in the key cache. However,
+in the key cache.
+However,
 individual keys must be activated with the
 .Ic trusted
-command before use. This
+command before use.
+This
 allows, for instance, the installation of possibly
 several batches of keys and
 then activating or deactivating each batch
 remotely using
 .Xr ntpdc 8 .
 This also provides a revocation capability that can be used
-if a key becomes compromised. The
+if a key becomes compromised.
+The
 .Ic requestkey
 command selects the key used as the password for the
 .Xr ntpdc 8
@@ -574,15 +587,16 @@ are also available.
 Using all of these schemes provides strong security against
 replay with or without modification, spoofing, masquerade
 and most forms of clogging attacks.
-.Pp
-\." The cryptographic means necessary for all Autokey operations
-\." is provided by the OpenSSL software library.
-\." This library is available from http://www.openssl.org/
-\." and can be installed using the procedures outlined
-\." in the Building and Installing the Distribution page. Once installed,
-\." the configure and build
-\." process automatically detects the library and links
-\." the library routines required.
+.\" .Pp
+.\" The cryptographic means necessary for all Autokey operations
+.\" is provided by the OpenSSL software library.
+.\" This library is available from http://www.openssl.org/
+.\" and can be installed using the procedures outlined
+.\" in the Building and Installing the Distribution page.
+.\" Once installed,
+.\" the configure and build
+.\" process automatically detects the library and links
+.\" the library routines required.
 .Pp
 The Autokey protocol has several modes of operation
 corresponding to the various NTP modes supported.
@@ -601,23 +615,29 @@ The specific cryptographic environment used by Autokey servers
 and clients is determined by a set of files
 and soft links generated by the
 .Xr ntp-keygen 8
-program. This includes a required host key file,
+program.
+This includes a required host key file,
 required certificate file and optional sign key file,
-leapsecond file and identity scheme files. The
+leapsecond file and identity scheme files.
+The
 digest/signature scheme is specified in the X.509 certificate
-along with the matching sign key. There are several schemes
+along with the matching sign key.
+There are several schemes
 available in the OpenSSL software library, each identified
 by a specific string such as
 .Cm md5WithRSAEncryption ,
 which stands for the MD5 message digest with RSA
-encryption scheme. The current NTP distribution supports
+encryption scheme.
+The current NTP distribution supports
 all the schemes in the OpenSSL library, including
 those based on RSA and DSA digital signatures.
 .Pp
 NTP secure groups can be used to define cryptographic compartments
-and security hierarchies. It is important that every host
+and security hierarchies.
+It is important that every host
 in the group be able to construct a certificate trail to one
-or more trusted hosts in the same group. Each group
+or more trusted hosts in the same group.
+Each group
 host runs the Autokey protocol to obtain the certificates
 for all hosts along the trail to one or more trusted hosts.
 This requires the configuration file in all hosts to be
@@ -638,7 +658,8 @@ DNS compromise is essential.
 By convention, the name of an Autokey host is the name returned
 by the Unix
 .Xr gethostname 2
-system call or equivalent in other systems. By the system design
+system call or equivalent in other systems.
+By the system design
 model, there are no provisions to allow alternate names or aliases.
 However, this is not to say that DNS aliases, different names
 for each interface, etc., are constrained in any way.
@@ -646,10 +667,12 @@ for each interface, etc., are constrained in any way.
 It is also important to note that Autokey verifies authenticity
 using the host name, network address and public keys,
 all of which are bound together by the protocol specifically
-to deflect masquerade attacks. For this reason Autokey
+to deflect masquerade attacks.
+For this reason Autokey
 includes the source and destinatino IP addresses in message digest
 computations and so the same addresses must be available
-at both the server and client. For this reason operation
+at both the server and client.
+For this reason operation
 with network address translation schemes is not possible.
 This reflects the intended robust security model where government
 and corporate NTP servers are operated outside firewall perimeters.
@@ -661,7 +684,8 @@ There may be management configurations where the clients,
 servers and peers may not all support the same cryptotypes.
 A secure NTPv4 subnet can be configured in many ways while
 keeping in mind the principles explained above and
-in this section. Note however that some cryptotype
+in this section.
+Note however that some cryptotype
 combinations may successfully interoperate with each other,
 but may not represent good security practice.
 .Pp
@@ -688,14 +712,16 @@ using Autokey.
 When multiple identity schemes are supported in the Autokey
 protocol, the first message exchange determines which one is used.
 The client request message contains bits corresponding
-to which schemes it has available. The server response message
+to which schemes it has available.
+The server response message
 contains bits corresponding to which schemes it has available.
 Both server and client match the received bits with their own
 and select a common scheme.
 .Pp
 Following the principle that time is a public value,
 a server responds to any client packet that matches
-its cryptotype capabilities. Thus, a server receiving
+its cryptotype capabilities.
+Thus, a server receiving
 an unauthenticated packet will respond with an unauthenticated
 packet, while the same server receiving a packet of a cryptotype
 it supports will respond with packets of that cryptotype.
@@ -710,13 +736,17 @@ Some examples may help to reduce confusion.
 Client Alice has no specific cryptotype selected.
 Server Bob has both a symmetric key file and minimal Autokey files.
 Alice's unauthenticated messages arrive at Bob, who replies with
-unauthenticated messages. Cathy has a copy of Bob's symmetric
+unauthenticated messages.
+Cathy has a copy of Bob's symmetric
 key file and has selected key ID 4 in messages to Bob.
-Bob verifies the message with his key ID 4. If it's the
+Bob verifies the message with his key ID 4.
+If it's the
 same key and the message is verified, Bob sends Cathy a reply
-authenticated with that key. If verification fails,
+authenticated with that key.
+If verification fails,
 Bob sends Cathy a thing called a crypto-NAK, which tells her
-something broke. She can see the evidence using the ntpq program.
+something broke.
+She can see the evidence using the ntpq program.
 .Pp
 Denise has rolled her own host key and certificate.
 She also uses one of the identity schemes as Bob.
@@ -739,22 +769,27 @@ incorporated as a set of files generated by the
 .Xr ntp-keygen 8
 utility program, including symmetric key, host key and
 public certificate files, as well as sign key, identity parameters
-and leapseconds files. Alternatively, host and sign keys and
+and leapseconds files.
+Alternatively, host and sign keys and
 certificate files can be generated by the OpenSSL utilities
 and certificates can be imported from public certificate
-authorities. Note that symmetric keys are necessary for the
+authorities.
+Note that symmetric keys are necessary for the
 .Xr ntpq 8
 and
 .Xr ntpdc 8
-utility programs. The remaining files are necessary only for the
+utility programs.
+The remaining files are necessary only for the
 Autokey protocol.
 .Pp
 Certificates imported from OpenSSL or public certificate
 authorities have certian limitations.
 The certificate should be in ASN.1 syntax, X.509 Version 3
 format and encoded in PEM, which is the same format
-used by OpenSSL. The overall length of the certificate encoded
-in ASN.1 must not exceed 1024 bytes. The subject distinguished
+used by OpenSSL.
+The overall length of the certificate encoded
+in ASN.1 must not exceed 1024 bytes.
+The subject distinguished
 name field (CN) is the fully qualified name of the host
 on which it is used; the remaining subject fields are ignored.
 The certificate extension fields must not contain either
@@ -797,10 +832,12 @@ range 1 to 65,534, inclusive.
 .Op Cm mvpar Ar file
 .Op Cm pw Ar password
 .Xc
-This command requires the OpenSSL library. It activates public key
+This command requires the OpenSSL library.
+It activates public key
 cryptography, selects the message digest and signature
 encryption scheme and loads the required private and public
-values described above. If one or more files are left unspecified,
+values described above.
+If one or more files are left unspecified,
 the default names are used as described above.
 Unless the complete path and name of the file are specified, the
 location of a file is relative to the keys directory specified
@@ -816,12 +853,14 @@ This overrides the link
 .Pa ntpkey_cert_ Ns Ar hostname
 in the keys directory.
 .It Cm gqpar Ar file
-Specifies the location of the optional GQ parameters file. This
+Specifies the location of the optional GQ parameters file.
+This
 overrides the link
 .Pa ntpkey_gq_ Ns Ar hostname
 in the keys directory.
 .It Cm host Ar file
-Specifies the location of the required host key file. This overrides
+Specifies the location of the required host key file.
+This overrides
 the link
 .Pa ntpkey_key_ Ns Ar hostname
 in the keys directory.
@@ -836,22 +875,27 @@ This overrides the link
 .Pa ntpkey_leap
 in the keys directory.
 .It Cm mvpar Ar file
-Specifies the location of the optional MV parameters file. This
+Specifies the location of the optional MV parameters file.
+This
 overrides the link
 .Pa ntpkey_mv_ Ns Ar hostname
 in the keys directory.
 .It Cm pw Ar password
 Specifies the password to decrypt files containing private keys and
-identity parameters. This is required only if these files have been
+identity parameters.
+This is required only if these files have been
 encrypted.
 .It Cm randfile Ar file
 Specifies the location of the random seed file used by the OpenSSL
-library. The defaults are described in the main text above.
+library.
+The defaults are described in the main text above.
 .It Cm sign Ar file
-Specifies the location of the optional sign key file. This overrides
+Specifies the location of the optional sign key file.
+This overrides
 the link
 .Pa ntpkey_sign_ Ns Ar hostname
-in the keys directory. If this file is
+in the keys directory.
+If this file is
 not found, the host key is also the sign key.
 .El
 .It Ic keys Ar keyfile
@@ -938,7 +982,8 @@ Not used.
 The signature length does not match the current public key.
 .It 108
 .Pq signature not verified
-The message fails the signature check. It could be bogus or signed by a
+The message fails the signature check.
+It could be bogus or signed by a
 different private key.
 .It 109
 .Pq certificate not verified
@@ -989,7 +1034,8 @@ Currently, four kinds of
 statistics are supported.
 .Bl -tag -width indent
 .It Cm clockstats
-Enables recording of clock driver statistics information. Each update
+Enables recording of clock driver statistics information.
+Each update
 received from a clock driver appends a line of the following form to
 the file generation set named
 .Cm clockstats :
@@ -998,14 +1044,19 @@ the file generation set named
 .Ed
 .Pp
 The first two fields show the date (Modified Julian Day) and time
-(seconds and fraction past UTC midnight). The next field shows the
-clock address in dotted-quad notation, The final field shows the last
+(seconds and fraction past UTC midnight).
+The next field shows the
+clock address in dotted-quad notation.
+The final field shows the last
 timecode received from the clock in decoded ASCII format, where
-meaningful. In some clock drivers a good deal of additional information
-can be gathered and displayed as well. See information specific to each
+meaningful.
+In some clock drivers a good deal of additional information
+can be gathered and displayed as well.
+See information specific to each
 clock for further details.
 .It Cm cryptostats
-This option requires the OpenSSL cryptographic software library. It
+This option requires the OpenSSL cryptographic software library.
+It
 enables recording of cryptographic public key protocol information.
 Each message received by the protocol module appends a line of the
 following form to the file generation set named
@@ -1015,9 +1066,11 @@ following form to the file generation set named
 .Ed
 .Pp
 The first two fields show the date (Modified Julian Day) and time
-(seconds and fraction past UTC midnight). The next field shows the peer
+(seconds and fraction past UTC midnight).
+The next field shows the peer
 address in dotted-quad notation, The final message field includes the
-message type and certain ancillary information. See the
+message type and certain ancillary information.
+See the
 .Sx Authentication Options
 section for further information.
 .It Cm loopstats
@@ -1082,7 +1135,8 @@ The timestamp
 values are as received and before processing by the various data
 smoothing and mitigation algorithms.
 .It Cm sysstats
-Enables recording of ntpd statistics counters on a periodic basis. Each
+Enables recording of ntpd statistics counters on a periodic basis.
+Each
 hour a line of the following form is appended to the file generation
 set named
 .Cm sysstats :
@@ -1091,7 +1145,8 @@ set named
 .Ed
 .Pp
 The first two fields show the date (Modified Julian Day) and time
-(seconds and fraction past UTC midnight). The remaining ten fields show
+(seconds and fraction past UTC midnight).
+The remaining ten fields show
 the statistics counter values accumulated since the last generated
 line.
 .Bl -tag -width indent
@@ -1118,7 +1173,8 @@ Number of packets discarded due to rate limitation.
 .El
 .It Cm statsdir Ar directory_path
 Indicates the full path of a directory where statistics files
-should be created (see below). This keyword allows
+should be created (see below).
+This keyword allows
 the (otherwise constant)
 .Cm filegen
 filename prefix to be modified for file generation sets, which
@@ -1129,13 +1185,16 @@ is useful for handling statistics logs.
 .Op Cm link | nolink
 .Op Cm enable | disable
 .Xc
-Configures setting of generation file set name. Generation
+Configures setting of generation file set name.
+Generation
 file sets provide a means for handling files that are
 continuously growing during the lifetime of a server.
 Server statistics are a typical example for such files.
 Generation file sets provide access to a set of files used
-to store the actual data. At any time at most one element
-of the set is being written to. The type given specifies
+to store the actual data.
+At any time at most one element
+of the set is being written to.
+The type given specifies
 when and how data will be directed to a new element of the set.
 This way, information stored in elements of a file set
 that are currently unused are available for administrational
@@ -1152,7 +1211,8 @@ This is the type of the statistics records, as shown in the
 .Cm statistics
 command.
 .It Cm file Ar filename
-This is the file name for the statistics records. Filenames of set
+This is the file name for the statistics records.
+Filenames of set
 members are built from three concatenated elements
 .Ar Cm prefix ,
 .Ar Cm filename
@@ -1160,13 +1220,17 @@ and
 .Ar Cm suffix :
 .Bl -tag -width indent
 .It Cm prefix
-This is a constant filename path. It is not subject to
+This is a constant filename path.
+It is not subject to
 modifications via the
 .Ar filegen
-option. It is defined by the
-server, usually specified as a compile-time constant. It may,
+option.
+It is defined by the
+server, usually specified as a compile-time constant.
+It may,
 however, be configurable for individual file generation sets
-via other commands. For example, the prefix used with
+via other commands.
+For example, the prefix used with
 .Ar loopstats
 and
 .Ar peerstats
@@ -1180,27 +1244,34 @@ above (no intervening
 This can be modified using
 the file argument to the
 .Ar filegen
-statement. No .. elements are
+statement.
+No
+.Pa ..
+elements are
 allowed in this component to prevent filenames referring to
 parts outside the filesystem hierarchy denoted by
 .Ar prefix .
 .It Cm suffix
-This part is reflects individual elements of a file set. It is
+This part is reflects individual elements of a file set.
+It is
 generated according to the type of a file set.
 .El
 .It Cm type Ar typename
-A file generation set is characterized by its type. The following
+A file generation set is characterized by its type.
+The following
 types are supported:
 .Bl -tag -width indent
 .It Cm none
 The file set is actually a single plain file.
 .It Cm pid
 One element of file set is used per incarnation of a ntpd
-server. This type does not perform any changes to file set
+server.
+This type does not perform any changes to file set
 members during runtime, however it provides an easy way of
 separating files belonging to different
 .Xr ntpd 8
-server incarnations. The set member filename is built by appending a
+server incarnations.
+The set member filename is built by appending a
 .Ql \&.
 to concatenated
 .Ar prefix
@@ -1211,8 +1282,10 @@ appending the decimal representation of the process ID of the
 .Xr ntpd 8
 server process.
 .It Cm day
-One file generation set element is created per day. A day is
-defined as the period between 00:00 and 24:00 UTC. The file set
+One file generation set element is created per day.
+A day is
+defined as the period between 00:00 and 24:00 UTC.
+The file set
 member suffix consists of a
 .Ql \&.
 and a day specification in
@@ -1230,24 +1303,30 @@ in a file named
 .Ar filename Ns .19921210 .
 .It Cm week
 Any file set member contains data related to a certain week of
-a year. The term week is defined by computing day-of-year
-modulo 7. Elements of such a file generation set are
+a year.
+The term week is defined by computing day-of-year
+modulo 7.
+Elements of such a file generation set are
 distinguished by appending the following suffix to the file set
 filename base: A dot, a 4-digit year number, the letter
 .Cm W ,
-and a 2-digit week number. For example, information from January,
+and a 2-digit week number.
+For example, information from January,
 10th 1992 would end up in a file with suffix
 .No . Ns Ar 1992W1 .
 .It Cm month
-One generation file set element is generated per month. The
+One generation file set element is generated per month.
+The
 file name suffix consists of a dot, a 4-digit year number, and
 a 2-digit month.
 .It Cm year
-One generation file element is generated per year. The filename
+One generation file element is generated per year.
+The filename
 suffix consists of a dot and a 4 digit year number.
 .It Cm age
 This type of file generation sets changes to a new element of
-the file set every 24 hours of server operation. The filename
+the file set every 24 hours of server operation.
+The filename
 suffix consists of a dot, the letter
 .Cm a ,
 and an 8-digit number.
@@ -1260,19 +1339,23 @@ output is prevented by specifying
 .El
 .It Cm link | nolink
 It is convenient to be able to access the current element of a file
-generation set by a fixed name. This feature is enabled by
+generation set by a fixed name.
+This feature is enabled by
 specifying
 .Cm link
 and disabled using
 .Cm nolink .
 If link is specified, a
 hard link from the current file set element to a file without
-suffix is created. When there is already a file with this name and
+suffix is created.
+When there is already a file with this name and
 the number of links of this file is one, it is renamed appending a
 dot, the letter
 .Cm C ,
-and the pid of the ntpd server process. When the
-number of links is greater than one, the file is unlinked. This
+and the pid of the ntpd server process.
+When the
+number of links is greater than one, the file is unlinked.
+This
 allows the current file to be accessed by a constant name.
 .It Cm enable \&| Cm disable
 Enables or disables the recording function.
@@ -1283,11 +1366,13 @@ Enables or disables the recording function.
 The
 .Xr ntpd 8
 daemon implements a general purpose address/mask based restriction
-list. The list contains address/match entries sorted first
+list.
+The list contains address/match entries sorted first
 by increasing address values and and then by increasing mask values.
 A match occurs when the bitwise AND of the mask and the packet
 source address is equal to the bitwise AND of the mask and
-address in the list. The list is searched in order with the
+address in the list.
+The list is searched in order with the
 last match found defining the restriction flags associated
 with the entry.
 Additional information and examples can be found in the
@@ -1299,8 +1384,10 @@ provided in
 .Pp
 The restriction facility was implemented in conformance
 with the access policies for the original NSFnet backbone
-time servers. Later the facility was expanded to deflect
-cryptographic and clogging attacks. While this facility may
+time servers.
+Later the facility was expanded to deflect
+cryptographic and clogging attacks.
+While this facility may
 be useful for keeping unwanted or broken or malicious clients
 from congesting innocent servers, it should not be considered
 an alternative to the NTP authentication facilities.
@@ -1310,13 +1397,16 @@ by a determined cracker.
 Clients can be denied service because they are explicitly
 included in the restrict list created by the restrict command
 or implicitly as the result of cryptographic or rate limit
-violations. Cryptographic violations include certificate
+violations.
+Cryptographic violations include certificate
 or identity verification failure; rate limit violations generally
 result from defective NTP implementations that send packets
-at abusive rates. Some violations cause denied service
+at abusive rates.
+Some violations cause denied service
 only for the offending packet, others cause denied service
 for a timed period and others cause the denied service for
-an indefinate period. When a client or network is denied access
+an indefinate period.
+When a client or network is denied access
 for an indefinate period, the only way at present to remove
 the restrictions is by restarting the server.
 .Ss The Kiss-of-Death Packet
@@ -1346,10 +1436,12 @@ A client receiving a KoD performs a set of sanity checks to
 minimize security exposure, then updates the stratum and
 reference identifier peer variables, sets the access
 denied (TEST4) bit in the peer flash variable and sends
-a message to the log. As long as the TEST4 bit is set,
+a message to the log.
+As long as the TEST4 bit is set,
 the client will send no further packets to the server.
 The only way at present to recover from this condition is
-to restart the protocol at both the client and server. This
+to restart the protocol at both the client and server.
+This
 happens automatically at the client when the association times out.
 It will happen at the server only if the server operator cooperates.
 .Ss Access Control Commands
@@ -1362,14 +1454,16 @@ It will happen at the server only if the server operator cooperates.
 Set the parameters of the
 .Cm limited
 facility which protects the server from
-client abuse. The
+client abuse.
+The
 .Cm average
 subcommand specifies the minimum average packet
 spacing, while the
 .Cm minimum
 subcommand specifies the minimum packet spacing.
 Packets that violate these minima are discarded
-and a kiss-o'-death packet returned if enabled. The default
+and a kiss-o'-death packet returned if enabled.
+The default
 minimum average and minimum are 5 and 2, respectively.
 The monitor subcommand specifies the probability of discard
 for packets that overflow the rate-control window.
@@ -1383,7 +1477,8 @@ argument expressed in
 dotted-quad form is the address of a host or network.
 Alternatively, the
 .Ar address
-argument can be a valid host DNS name. The
+argument can be a valid host DNS name.
+The
 .Ar mask
 argument expressed in dotted-quad form defaults to
 .Cm 255.255.255.255 ,
@@ -1422,12 +1517,15 @@ and
 queries.
 .It Cm kod
 If this flag is set when an access violation occurs, a kiss-o'-death
-(KoD) packet is sent. KoD packets are rate limited to no more than one
-per second. If another KoD packet occurs within one second after the
+(KoD) packet is sent.
+KoD packets are rate limited to no more than one
+per second.
+If another KoD packet occurs within one second after the
 last one, the packet is dropped.
 .It Cm limited
 Deny service if the packet spacing violates the lower limits specified
-in the discard command. A history of clients is kept using the
+in the discard command.
+A history of clients is kept using the
 monitoring capability of
 .Xr ntpd 8 .
 Thus, monitoring is always active as
@@ -1450,16 +1548,19 @@ Deny
 and
 .Xr ntpdc 8
 queries which attempt to modify the state of the
-server (i.e., run time reconfiguration). Queries which return
+server (i.e., run time reconfiguration).
+Queries which return
 information are permitted.
 .It Cm noquery
 Deny
 .Xr ntpq 8
 and
 .Xr ntpdc 8
-queries. Time service is not affected.
+queries.
+Time service is not affected.
 .It Cm nopeer
-Deny packets which would result in mobilizing a new association. This
+Deny packets which would result in mobilizing a new association.
+This
 includes broadcast and symmetric active packets when a configured
 association does not exist.
 .It Cm noserve
@@ -1470,7 +1571,8 @@ and
 queries.
 .It Cm notrap
 Decline to provide mode 6 control message trap service to matching
-hosts. The trap service is a subsystem of the ntpdq control message
+hosts.
+The trap service is a subsystem of the ntpdq control message
 protocol which is intended for use by remote event logging programs.
 .It Cm notrust
 Deny service unless the packet is cryptographically authenticated.
@@ -1506,7 +1608,8 @@ NTP server is unrestricted).
 .Sh Automatic NTP Configuration Options
 .Ss Manycasting
 Manycasting is a automatic discovery and configuration paradigm
-new to NTPv4. It is intended as a means for a multicast client
+new to NTPv4.
+It is intended as a means for a multicast client
 to troll the nearby network neighborhood to find cooperating
 manycast servers, validate them using cryptographic means
 and evaluate their time values with respect to other servers
@@ -1524,7 +1627,8 @@ The manycast paradigm is designed to find a plurality
 of redundant servers satisfying defined optimality criteria.
 .Pp
 Manycasting can be used with either symmetric key
-or public key cryptography. The public key infrastructure (PKI)
+or public key cryptography.
+The public key infrastructure (PKI)
 offers the best protection against compromised keys
 and is generally considered stronger, at least with relatively
 large key sizes.
@@ -1540,7 +1644,8 @@ server command but with a multicast (IPv4 class
 .Cm D
 or IPv6 prefix
 .Cm FF )
-group address. The IANA has designated IPv4 address 224.1.1.1
+group address.
+The IANA has designated IPv4 address 224.1.1.1
 and IPv6 address FF05::101 (site local) for NTP.
 When more servers are needed, it broadcasts manycast
 client messages to this address at the minimum feasible rate
@@ -1553,9 +1658,11 @@ for a future ephemeral unicast client/server association.
 Manycast servers configured with the
 .Ic manycastserver
 command listen on the specified group address for manycast
-client messages. Note the distinction between manycast client,
+client messages.
+Note the distinction between manycast client,
 which actively broadcasts messages, and manycast server,
-which passively responds to them. If a manycast server is
+which passively responds to them.
+If a manycast server is
 in scope of the current TTL and is itself synchronized
 to a valid source and operating at a stratum level equal
 to or lower than the manycast client, it replies to the
@@ -1565,18 +1672,22 @@ The manycast client receiving this message mobilizes
 an ephemeral client/server association according to the
 matching manycast client template, but only if cryptographically
 authenticated and the server stratum is less than or equal
-to the client stratum. Authentication is explicitly required
+to the client stratum.
+Authentication is explicitly required
 and either symmetric key or public key (Autokey) can be used.
 Then, the client polls the server at its unicast address
 in burst mode in order to reliably set the host clock
-and validate the source. This normally results
+and validate the source.
+This normally results
 in a volley of eight client/server at 2-s intervals
 during which both the synchronization and cryptographic
-protocols run concurrently. Following the volley,
+protocols run concurrently.
+Following the volley,
 the client runs the NTP intersection and clustering
 algorithms, which act to discard all but the "best"
 associations according to stratum and synchronization
-distance. The surviving associations then continue
+distance.
+The surviving associations then continue
 in ordinary client/server mode.
 .Pp
 The manycast client polling strategy is designed to reduce
@@ -1588,7 +1699,8 @@ The strategy is determined by the
 .Ic tos
 and
 .Ic ttl
-configuration commands. The manycast poll interval is
+configuration commands.
+The manycast poll interval is
 normally eight times the system poll interval,
 which starts out at the
 .Cm minpoll
@@ -1596,7 +1708,8 @@ value specified in the
 .Ic manycastclient ,
 command and, under normal circumstances, increments to the
 .Cm maxpolll
-value specified in this command. Initially, the TTL is
+value specified in this command.
+Initially, the TTL is
 set at the minimum hops specified by the ttl command.
 At each retransmission the TTL is increased until reaching
 the maximum hops specified by this command or a sufficient
@@ -1611,7 +1724,8 @@ and
 .Cm minsane
 values specified in the
 .Ic tos
-configuration command. At least
+configuration command.
+At least
 .Cm minsane
 candidate servers must be available and the mitigation
 algorithms produce at least
@@ -1623,9 +1737,10 @@ For legacy purposes,
 .Cm minsane
 defaults to 1 and
 .Cm minclock
-defaults to 3. For manycast service
+defaults to 3.
+For manycast service
 .Cm minsane
-should be explicitly set to 4. assuming at least that
+should be explicitly set to 4, assuming at least that
 number of servers are available.
 .Pp
 If at least
@@ -1636,12 +1751,14 @@ set to eight times
 If less than
 .Cm minclock
 servers are found when the TTL has reached the maximum hops,
-the manycast poll interval is doubled. For each transmission
+the manycast poll interval is doubled.
+For each transmission
 after that, the poll interval is doubled again until
 reaching the maximum of eight times
 .Cm maxpoll .
 Further transmissions use the same poll interval and
-TTL values. Note that while all this is going on,
+TTL values.
+Note that while all this is going on,
 each client/server association found is operating normally
 it the system poll interval.
 .Pp
@@ -1663,7 +1780,8 @@ in TTL range, which is probably the most common objective.
 However, unless configured otherwise, all manycast clients
 in TTL range will eventually find all primary servers
 in TTL range, which is probably not the most common
-objective in large networks. The
+objective in large networks.
+The
 .Ic tos
 command can be used to modify this behavior.
 Servers with stratum below
@@ -1688,7 +1806,8 @@ falls below
 .Cm minclock ,
 all manycast client prototype associations are reset
 to the initial poll interval and TTL hops and operation
-resumes from the beginning. It is important to avoid
+resumes from the beginning.
+It is important to avoid
 frequent manycast client messages, since each one requires
 all manycast servers in TTL range to respond.
 The result could well be an implosion, either minor or major,
@@ -1702,15 +1821,18 @@ as both manycast client and manycast server.
 A number of hosts configured this way and sharing a common
 group address will automatically organize themselves
 in an optimum configuration based on stratum and
-synchronization distance. For example, consider an NTP
+synchronization distance.
+For example, consider an NTP
 subnet of two primary servers and a hundred or more
-dependent clients. With two exceptions, all servers
+dependent clients.
+With two exceptions, all servers
 and clients have identical configuration files including both
 .Ic multicastclient
 and
 .Ic multicastserver
 commands using, for instance, multicast group address
-239.1.1.1. The only exception is that each primary server
+239.1.1.1.
+The only exception is that each primary server
 configuration file must include commands for the primary
 reference source such as a GPS receiver.
 .Pp
@@ -1719,7 +1841,8 @@ servers and clients have the same contents, except for the
 .Ic tos
 command, which is specific for each stratum level.
 For stratum 1 and stratum 2 servers, that command is
-not necessary. For stratum 3 and above servers the
+not necessary.
+For stratum 3 and above servers the
 .Cm floor
 value is set to the intended stratum number.
 Thus, all stratum 3 configuration files are identical,
@@ -1729,7 +1852,8 @@ Once operations have stabilized in this scenario,
 the primary servers will find the primary reference source
 and each other, since they both operate at the same
 stratum (1), but not with any secondary server or client,
-since these operate at a higher stratum. The secondary
+since these operate at a higher stratum.
+The secondary
 servers will find the servers at the same stratum level.
 If one of the primary servers loses its GPS receiver,
 it will continue to operate as a client and other clients
@@ -1743,9 +1867,11 @@ continuously and run either
 or
 .Xr ntpd 8
 .Fl q
-as a cron job. In either case the servers must be
+as a cron job.
+In either case the servers must be
 configured in advance and the program fails if none are
-available when the cron job runs. A really slick
+available when the cron job runs.
+A really slick
 application of manycast is with
 .Xr ntpd 8
 .Fl q .
@@ -1759,9 +1885,11 @@ configuration file.
 Each time a manycast client sends a client mode packet
 to a multicast group address, all manycast servers
 in scope generate a reply including the host name
-and status word. The manycast clients then run
+and status word.
+The manycast clients then run
 the Autokey protocol, which collects and verifies
-all certificates involved. Following the burst interval
+all certificates involved.
+Following the burst interval
 all but three survivors are cast off,
 but the certificates remain in the local cache.
 It often happens that several complete signing trails
@@ -1772,12 +1900,14 @@ exceeds this, the client regenerates the Autokey key list.
 This is in general transparent in client/server mode.
 However, about once per day the server private value
 used to generate cookies is refreshed along with all
-manycast client associations. In this case all
+manycast client associations.
+In this case all
 cryptographic values including certificates is refreshed.
 If a new certificate has been generated since
 the last refresh epoch, it will automatically revoke
 all prior certificates that happen to be in the
-certificate cache. At the same time, the manycast
+certificate cache.
+At the same time, the manycast
 scheme starts all over from the beginning and
 the expanding ring shrinks to the minimum and increments
 from there while collecting all servers in scope.
@@ -1793,9 +1923,11 @@ from there while collecting all servers in scope.
 .Oc
 .Xc
 This command affects the clock selection and clustering
-algorithms. It can be used to select the quality and
+algorithms.
+It can be used to select the quality and
 quantity of peers used to synchronize the system clock
-and is most useful in manycast mode. The variables operate
+and is most useful in manycast mode.
+The variables operate
 as follows:
 .Bl -tag -width indent
 .It Cm ceiling Ar ceiling
@@ -1809,9 +1941,11 @@ to any number from 1 to 15.
 .It Cm cohort Bro 0 | 1 Brc
 This is a binary flag which enables (0) or disables (1)
 manycast server replies to manycast clients with the same
-stratum level. This is useful to reduce implosions where
+stratum level.
+This is useful to reduce implosions where
 large numbers of clients with the same stratum level
-are present. The default is to enable these replies.
+are present.
+The default is to enable these replies.
 .It Cm floor Ar floor
 Peers with strata below
 .Cm floor
@@ -1824,7 +1958,8 @@ to any number from 1 to 15.
 The clustering algorithm repeatedly casts out outlyer
 associations until no more than
 .Cm minclock
-associations remain. This value defaults to 3,
+associations remain.
+This value defaults to 3,
 but can be changed to any number from 1 to the number of
 configured sources.
 .It Cm minsane Ar minsane
@@ -1832,8 +1967,10 @@ This is the minimum number of candidates available
 to the clock selection algorithm in order to produce
 one or more truechimers for the clustering algorithm.
 If fewer than this number are available, the clock is
-undisciplined and allowed to run free. The default is 1
-for legacy purposes. However, according to principles of
+undisciplined and allowed to run free.
+The default is 1
+for legacy purposes.
+However, according to principles of
 Byzantine agreement,
 .Cm minsane
 should be at least 4 in order to detect and discard
@@ -1841,9 +1978,10 @@ a single falseticker.
 .El
 .It Cm ttl Ar hop ...
 This command specifies a list of TTL values in increasing
-order. up to 8 values can be specified.
+order, up to 8 values can be specified.
 In manycast mode these values are used in turn
-in an expanding-ring search. The default is eight
+in an expanding-ring search.
+The default is eight
 multiples of 32 starting at 31.
 .El
 .Sh Reference Clock Support
@@ -2183,12 +2321,15 @@ packets sent in burst or iburst mode to allow additional time for a modem
 or ISDN call to complete.
 .It Ic driftfile Ar driftfile
 This command specifies the complete path and name of the file used to
-record the frequency of the local clock oscillator. This is the same
+record the frequency of the local clock oscillator.
+This is the same
 operation as the
 .Fl f
-command linke option. If the file exists, it is read at
+command linke option.
+If the file exists, it is read at
 startup in order to set the initial frequency and then updated once per
-hour with the current frequency computed by the daemon. If the file name is
+hour with the current frequency computed by the daemon.
+If the file name is
 specified, but the file itself does not exist, the starts with an initial
 frequency of zero and creates the file when writing it for the first time.
 If this command is not given, the daemon will always start with an initial
@@ -2231,21 +2372,25 @@ utility program.
 .It Cm auth
 Enables the server to synchronize with unconfigured peers only if the
 peer has been correctly authenticated using either public key or
-private key cryptography. The default for this flag is
+private key cryptography.
+The default for this flag is
 .Ic enable .
 .It Cm bclient
 Enables the server to listen for a message from a broadcast or
 multicast server, as in the
 .Ic multicastclient
 command with default
-address. The default for this flag is
+address.
+The default for this flag is
 .Ic disable .
 .It Cm calibrate
-Enables the calibrate feature for reference clocks. The default for
+Enables the calibrate feature for reference clocks.
+The default for
 this flag is
 .Ic disable .
 .It Cm kernel
-Enables the kernel time discipline, if available. The default for this
+Enables the kernel time discipline, if available.
+The default for this
 flag is
 .Ic enable
 if support is available, otherwise
@@ -2262,13 +2407,16 @@ The
 default for this flag is
 .Ic enable .
 .It Cm ntp
-Enables time and frequency discipline. In effect, this switch opens and
-closes the feedback loop, which is useful for testing. The default for
+Enables time and frequency discipline.
+In effect, this switch opens and
+closes the feedback loop, which is useful for testing.
+The default for
 this flag is
 .Ic enable .
 .It Cm pps
 Enables the pulse-per-second (PPS) signal when frequency and time is
-disciplined by the precision time kernel modifications. See the
+disciplined by the precision time kernel modifications.
+See the
 .Qq A Kernel Model for Precision Timekeeping
 (available as part of the HTML documentation
 provided in
@@ -2286,10 +2434,12 @@ The default for this flag is
 .El
 .It Ic includefile Ar includefile
 This command allows additional configuration commands
-to be included from a separate file. Include files may
+to be included from a separate file.
+Include files may
 be nested to a depth of five; upon reaching the end of any
 include file, command processing resumes in the previous
-configuration file. This option is useful for sites that run
+configuration file.
+This option is useful for sites that run
 .Xr ntpd 8
 on multiple hosts, with (mostly) common options (e.g., a
 restriction list).
@@ -2348,9 +2498,11 @@ status messages
 .Pc .
 .Pp
 Configuration keywords are formed by concatenating the message class with
-the event class. The
+the event class.
+The
 .Cm all
-prefix can be used instead of a message class. A
+prefix can be used instead of a message class.
+A
 message class may also be followed by the
 .Cm all
 keyword to enable/disable all
@@ -2377,7 +2529,8 @@ peers, system events and so on is suppressed.
 This command specifies the location of an alternate log file to
 be used instead of the default system
 .Xr syslog 3
-facility. This is the same operation as the -l command line option.
+facility.
+This is the same operation as the -l command line option.
 .It Ic setvar Ar variable Op Cm default
 This command adds an additional system variable.
 These
@@ -2457,7 +2610,8 @@ The argument becomes the new value for the dispersion increase rate,
 normally .000015 s/s.
 .It Cm freq Ar freq
 The argument becomes the initial value of the frequency offset in
-parts-per-million. This overrides the value in the frequency file, if
+parts-per-million.
+This overrides the value in the frequency file, if
 present, and avoids the initial training state if it is not.
 .It Cm huffpuff Ar huffpuff
 The argument becomes the new value for the experimental
@@ -2469,18 +2623,24 @@ There
 is no default, since the filter is not enabled unless this command
 is given.
 .It Cm panic Ar panic
-The argument is the panic threshold, normally 1000 s. If set to zero,
+The argument is the panic threshold, normally 1000 s.
+If set to zero,
 the panic sanity check is disabled and a clock offset of any value will
 be accepted.
 .It Cm step Ar step
-The argument is the step threshold, which by default is 0.128 s. It can
-be set to any positive number in seconds. If set to zero, step
-adjustments will never occur. Note: The kernel time discipline is
+The argument is the step threshold, which by default is 0.128 s.
+It can
+be set to any positive number in seconds.
+If set to zero, step
+adjustments will never occur.
+Note: The kernel time discipline is
 disabled if the step threshold is set to zero or greater than the
 default.
 .It Cm stepout Ar stepout
-The argument is the stepout timeout, which by default is 900 s. It can
-be set to any positive number in seconds. If set to zero, the stepout
+The argument is the stepout timeout, which by default is 900 s.
+It can
+be set to any positive number in seconds.
+If set to zero, the stepout
 pulses will not be suppressed.
 .El
 .It Xo Ic trap Ar host_address
@@ -2505,9 +2665,11 @@ programs may also request their own trap dynamically, configuring a
 trap receiver will ensure that no messages are lost when the server
 is started.
 .It Cm hop Ar ...
-This command specifies a list of TTL values in increasing order. up to 8
-values can be specified. In manycast mode these values are used in turn in
-an expanding-ring search. The default is eight multiples of 32 starting at
+This command specifies a list of TTL values in increasing order, up to 8
+values can be specified.
+In manycast mode these values are used in turn in
+an expanding-ring search.
+The default is eight multiples of 32 starting at
 31.
 .El
 .Sh FILES
diff --git a/usr.sbin/ntp/doc/ntpd.8 b/usr.sbin/ntp/doc/ntpd.8
index d5f16d8..f93efe3 100644
--- a/usr.sbin/ntp/doc/ntpd.8
+++ b/usr.sbin/ntp/doc/ntpd.8
@@ -109,7 +109,8 @@ Enable the client to synchronize to broadcast servers.
 Specify the name and path of the configuration file, default
 .Pa /etc/ntp.conf .
 .It Fl d
-Specify debugging mode. This option may occur more than once,
+Specify debugging mode.
+This option may occur more than once,
 with each occurrence indicating greater detail of display.
 .It Fl D Ar level
 Specify debugging level directly.
@@ -133,7 +134,8 @@ This option can be used with the
 .Fl q
 and
 .Fl x
-options. See the
+options.
+See the
 .Ic tinker
 command for other options.
 .It Fl k Ar keyfile
@@ -149,7 +151,8 @@ This is the same operation as the
 .Ic logfile Ar logfile
 configuration command.
 .It Fl L
-Do not listen to virtual IPs. The default is to listen.
+Do not listen to virtual IPs.
+The default is to listen.
 .It Fl m
 Enable the client to synchronize to multicast servers at the IPv4 multicast
 group address 224.0.1.1.
diff --git a/usr.sbin/ntp/doc/ntpdc.8 b/usr.sbin/ntp/doc/ntpdc.8
index e73967f..35ea7aa 100644
--- a/usr.sbin/ntp/doc/ntpdc.8
+++ b/usr.sbin/ntp/doc/ntpdc.8
@@ -162,12 +162,12 @@ following.
 .It Ic \&? Ar command_keyword
 .It Ic help Ar command_keyword
 A
-.Ic Ql \&?
+.Sq Ic \&?
 will print a list of all the command
 keywords known to this incarnation of
 .Nm .
 A
-.Ic Ql \&?
+.Sq Ic \&?
 followed by a command keyword will print function and usage
 information about the command.
 This command is probably a better
@@ -592,11 +592,13 @@ configuration file commands of
 .It Cm auth
 Enables the server to synchronize with unconfigured peers only
 if the peer has been correctly authenticated using either public key
-or private key cryptography. The default for this flag is enable.
+or private key cryptography.
+The default for this flag is enable.
 .It Cm bclient
 Enables the server to listen for a message from a broadcast or
 multicast server, as in the multicastclient command with
-default address. The default for this flag is disable.
+default address.
+The default for this flag is disable.
 .It Cm calibrate
 Enables the calibrate feature for reference clocks.
 The default for this flag is disable.
@@ -604,14 +606,16 @@ The default for this flag is disable.
 Enables the kernel time discipline, if available.
 The default for this flag is enable if support is available, otherwise disable.
 .It Cm monitor
-Enables the monitoring facility. See the
+Enables the monitoring facility.
+See the
 .Xr ntpdc 8 .
 program and the monlist command or further information.
 The default for this flag is enable.
 .It Cm ntp
 Enables time and frequency discipline.
 In effect, this switch opens and closes the feedback loop,
-which is useful for testing. The default for this flag is enable.
+which is useful for testing.
+The default for this flag is enable.
 .It Cm pps
 Enables the pulse-per-second (PPS) signal when frequency
 and time is disciplined by the precision time kernel modifications.
@@ -620,7 +624,8 @@ See the
 (available as part of the HTML documentation
 provided in
 .Pa /usr/share/doc/ntp )
-page for further information. The default for this flag is disable.
+page for further information.
+The default for this flag is disable.
 .It Cm stats
 Enables the statistics facility.
 See the
diff --git a/usr.sbin/ntp/doc/ntpq.8 b/usr.sbin/ntp/doc/ntpq.8
index 71cfaab..60a5fb9 100644
--- a/usr.sbin/ntp/doc/ntpq.8
+++ b/usr.sbin/ntp/doc/ntpq.8
@@ -148,12 +148,12 @@ These are described following.
 .It Ic \&? Op Ar command_keyword
 .It Ic help Op Ar command_keyword
 A
-.Ic Ql \&?
+.Sq Ic \&?
 by itself will print a list of all the command
 keywords known to this incarnation of
 .Nm .
 A
-.Ic Ql \&?
+.Sq Ic \&?
 followed by a command keyword will print function and usage
 information about the command.
 This command is probably a better
@@ -241,7 +241,8 @@ modified using the command line
 switch.
 .It Ic keyid Ar keyid
 This command specifies the key number to be used to authenticate
-configuration requests. This must correspond to a key number the server has
+configuration requests.
+This must correspond to a key number the server has
 been configured to use for this purpose.
 .It Xo Ic ntpversion
 .Cm 1 |
@@ -259,7 +260,8 @@ There appear
 to be no servers left which demand version 1.
 .It Ic passwd
 This command prompts for a password (which will not be echoed) which will
-be used to authenticate configuration requests. The password must
+be used to authenticate configuration requests.
+The password must
 correspond to the key configured for NTP server for this purpose.
 .It Ic quit
 Exit
@@ -281,8 +283,10 @@ a timeout will be twice the timeout value set.
 .El
 .Ss Control Message Commands
 Each association known to an NTP server has a 16 bit integer association
-identifier. NTP control messages which carry peer variables must identify the
-peer the values correspond to by including its association ID. An association
+identifier.
+NTP control messages which carry peer variables must identify the
+peer the values correspond to by including its association ID.
+An association
 ID of 0 is special, and indicates the variables are system variables, whose
 names are drawn from a separate name space.
 .Pp
@@ -430,7 +434,8 @@ register, in octal, and the current estimated delay,
 offset and dispersion of the peer, all in milliseconds.
 The character at the left margin of each line shows the
 synchronization status of the association and is a valuable
-diagnostic tool. The encoding and meaning of this character,
+diagnostic tool.
+The encoding and meaning of this character,
 called the tally code, is given later in this page.
 .It Ic pstatus Ar assocID
 Sends a read status request to the server for the given
@@ -466,7 +471,8 @@ system variables, otherwise they are peer variables and the values
 returned will be those of the corresponding peer.
 Omitting the
 variable list will send a request with no data which should induce
-the server to return a default display. The
+the server to return a default display.
+The
 encoding and meaning of the variables derived from NTPv3 is given in
 RFC-1305; the encoding and meaning of the additional NTPv4 variables are
 given later in this page.
@@ -512,7 +518,8 @@ The peer is a survivor and a candidate for the combining algorithm.
 .It \&#
 .Pq selected
 The peer is a survivor, but not among the first six peers sorted by
-synchronization distance. If the association is ephemeral, it may be
+synchronization distance.
+If the association is ephemeral, it may be
 demobilized to conserve resources.
 .It \&*
 .Pq sys.peer
@@ -521,7 +528,8 @@ system variables.
 .It o
 .Pq pps.peer
 The peer has been declared the system peer and lends its variables to
-the system variables. However, the actual system synchronization is derived
+the system variables.
+However, the actual system synchronization is derived
 from a pulse-per-second (PPS) signal, either indirectly via the PPS
 reference clock driver or directly via kernel interface.
 .El
@@ -540,7 +548,8 @@ The
 and
 .Cm frequency
 variables are described in RFC-1305
-specification. Additional NTPv4 system variables include the following.
+specification.
+Additional NTPv4 system variables include the following.
 .Bl -tag -width indent
 .It version
 Everything you might need to know about the software version and generation
@@ -550,7 +559,8 @@ The processor and kernel identification string.
 .It system
 The operating system version and release identifier.
 .It state
-The state of the clock discipline state machine. The values are described
+The state of the clock discipline state machine.
+The values are described
 in the architecture briefing on the NTP Project page linked from
 www.ntp.org.
 .It peer
@@ -570,7 +580,8 @@ depending on the particular dance:
 .Bl -tag -width indent
 .It flags
 The current flags word bits and message digest algorithm identifier (NID)
-in hex format. The high order 16 bits of the four-byte word contain the NID
+in hex format.
+The high order 16 bits of the four-byte word contain the NID
 from the OpenSSL ligrary, while the low-order bits are interpreted as
 follows:
 .Bl -tag -width indent
@@ -593,8 +604,10 @@ function.
 .It hostkey
 The NTP filestamp of the host key file.
 .It cert
-A list of certificates held by the host. Each entry includes the subject,
-issuer, flags and NTP filestamp in order. The bits are interpreted as
+A list of certificates held by the host.
+Each entry includes the subject,
+issuer, flags and NTP filestamp in order.
+The bits are interpreted as
 follows:
 .Bl -tag -width indent
 .It 0x01
@@ -647,7 +660,8 @@ Additional NTPv4 system variables include
 the following.
 .Bl -tag -width indent
 .It flash
-The flash code for the most recent packet received. The encoding and
+The flash code for the most recent packet received.
+The encoding and
 meaning of these codes is given later in this page.
 .It jitter
 The estimated time error of the peer clock measured as an exponential
@@ -661,8 +675,10 @@ When the NTPv4 daemon is compiled with the OpenSSL software library, additional
 peer variables are displayed, including the following:
 .Bl -tag -width indent
 .It flags
-The current flag bits. This word is the server host status word with
-additional bits used by the Autokey state machine. See the source code for
+The current flag bits.
+This word is the server host status word with
+additional bits used by the Autokey state machine.
+See the source code for
 the bit encoding.
 .It hostname
 The server host name.
@@ -680,18 +696,22 @@ The NTP timestamp when the last Autokey key list was generated and signed.
 The
 .Cm flash
 code is a valuable debugging aid displayed in the peer variables
-list. It shows the results of the original sanity checks defined in the NTP
-specification RFC-1305 and additional ones added in NTPv4. There are 12 tests
+list.
+It shows the results of the original sanity checks defined in the NTP
+specification RFC-1305 and additional ones added in NTPv4.
+There are 12 tests
 designated
 .Sy TEST1
 through
 .Sy TEST12 .
 The tests are performed in a certain order
 designed to gain maximum diagnostic information while protecting against
-accidental or malicious errors. The
+accidental or malicious errors.
+The
 .Sy flash
 variable is initialized to zero as
-each packet is received. If after each set of tests one or more bits are set,
+each packet is received.
+If after each set of tests one or more bits are set,
 the packet is discarded.
 .Pp
 Tests
@@ -699,22 +719,27 @@ Tests
 through
 .Sy TEST3
 check the packet timestamps from which the offset and
-delay are calculated. If any bits are set, the packet is discarded; otherwise,
+delay are calculated.
+If any bits are set, the packet is discarded; otherwise,
 the packet header variables are saved.
 .Sy TEST4
 and
 .Sy TEST5
 are associated with
-access control and cryptographic authentication. If any bits are set, the
+access control and cryptographic authentication.
+If any bits are set, the
 packet is discarded immediately with nothing changed.
 .Pp
 Tests
 .Sy TEST6
 through
 .Sy TEST8
-check the health of the server. If any bits are set,
+check the health of the server.
+If any bits are set,
 the packet is discarded; otherwise, the offset and delay relative to the server
-are calculated and saved. TEST9 checks the health of the association itself. If
+are calculated and saved.
+TEST9 checks the health of the association itself.
+If
 any bits are set, the packet is discarded; otherwise, the saved variables are
 passed to the clock filter and mitigation algorithms.
 .Pp
@@ -738,35 +763,44 @@ bits for each test are defined as follows.
 .Bl -tag -width indent
 .It 0x001
 .Pq TEST1
-Duplicate packet. The packet is at best a casual retransmission and at
+Duplicate packet.
+The packet is at best a casual retransmission and at
 worst a malicious replay.
 .It 0x002
 .Pq TEST2
-Bogus packet. The packet is not a reply to a message previously sent. This
+Bogus packet.
+The packet is not a reply to a message previously sent.
+This
 can happen when the NTP daemon is restarted and before somebody else
 notices.
 .It 0x004
 .Pq TEST3
-Unsynchronized. One or more timestamp fields are invalid. This normally
+Unsynchronized.
+One or more timestamp fields are invalid.
+This normally
 happens when the first packet from a peer is received.
 .It 0x008
 .Pq TEST4
-Access is denied. See the
+Access is denied.
+See the
 .Sx Access Control Support
 section of
 .Xr ntp.conf 5 .
 .It 0x010
 .Pq TEST5
-Cryptographic authentication fails. See the
+Cryptographic authentication fails.
+See the
 .Sx Authentication Options
 section of
 .Xr ntp.conf 5 .
 .It 0x020
 .Pq TEST6
-The server is unsynchronized. Wind up its clock first.
+The server is unsynchronized.
+Wind up its clock first.
 .It 0x040
 .Pq TEST7
-The server stratum is at the maximum than 15. It is probably unsynchronized
+The server stratum is at the maximum than 15.
+It is probably unsynchronized
 and its clock needs to be wound up.
 .It 0x080
 .Pq TEST8
@@ -778,21 +812,24 @@ Either the peer delay or dispersion is greater than one second, which is
 higly unlikely unless the peer is on Mars.
 .It 0x200
 .Pq TEST10
-The autokey protocol has detected an authentication failure. See the
+The autokey protocol has detected an authentication failure.
+See the
 .Sx Authentication Options
 section of
 .Xr ntp.conf 5 .
 .It 0x400
 .Pq TEST11
 The autokey protocol has not verified the server or peer is proventic and
-has valid public key credentials. See the
+has valid public key credentials.
+See the
 .Sx Authentication Options
 section of
 .Xr ntp.conf 5 .
 .It 0x800
 .Pq TEST12
 A protocol or configuration error has occurred in the public key algorithms
-or a possible intrusion event has been detected. See the
+or a possible intrusion event has been detected.
+See the
 .Sx Authentication Options
 section of
 .Xr ntp.conf 5 .
diff --git a/usr.sbin/pkg_install/info/pkg_info.1 b/usr.sbin/pkg_install/info/pkg_info.1
index 86caa7a..fb05af1 100644
--- a/usr.sbin/pkg_install/info/pkg_info.1
+++ b/usr.sbin/pkg_install/info/pkg_info.1
@@ -25,7 +25,7 @@
 .Nd a utility for displaying information on software packages
 .Sh SYNOPSIS
 .Nm
-.Op Fl bcdDEfgGijIkKLmopPqQrRsvVxX
+.Op Fl bcdDEfgGiIjkKLmopPqQrRsvVxX
 .Op Fl e Ar package
 .Op Fl l Ar prefix
 .Op Fl t Ar template
diff --git a/usr.sbin/pmcstat/pmcstat.8 b/usr.sbin/pmcstat/pmcstat.8
index 5a3e3ec..fffc945 100644
--- a/usr.sbin/pmcstat/pmcstat.8
+++ b/usr.sbin/pmcstat/pmcstat.8
@@ -145,13 +145,13 @@ is of the form
 where
 .Ar hostname
 does not start with a
-.Sq \&.
+.Ql \&.
 or a
-.Sq / ,
+.Ql / ,
 then
 .Nm
 will open a network socket to host
-.Ar hostname 
+.Ar hostname
 on port
 .Ar port .
 .Pp
@@ -303,7 +303,8 @@ It is
 .Sh AUTHORS
 .An Joseph Koshy Aq jkoshy@FreeBSD.org
 .Sh BUGS
+The
 .Nm
-cannot yet analyse 
+utility cannot yet analyse
 .Xr hwpmc 4
 logs generated by non-native architectures.
diff --git a/usr.sbin/portsnap/portsnap/portsnap.8 b/usr.sbin/portsnap/portsnap/portsnap.8
index 1f80f3c..1d7a82b 100644
--- a/usr.sbin/portsnap/portsnap/portsnap.8
+++ b/usr.sbin/portsnap/portsnap/portsnap.8
@@ -54,7 +54,7 @@ uncompressed ports tree.
 The following options are supported:
 .Bl -tag -width "-f conffile"
 .It Fl d Ar workdir
-Store working files (e.g. downloaded updates) in
+Store working files (e.g.\& downloaded updates) in
 .Ar workdir .
 (default:
 .Pa /var/db/portsnap ,
@@ -72,7 +72,7 @@ command, update INDEX files, but not the rest of the ports tree.
 Expect a public key with given SHA256 hash.
 (default: read value from configuration file.)
 .It Fl l Ar descfile
-Merge the specified local describes file into the INDEX files being 
+Merge the specified local describes file into the INDEX files being
 built.
 The
 .Ar descfile
@@ -95,9 +95,9 @@ For
 .Cm extract
 command only, operate only on parts of the ports tree starting with
 .Ar path .
-(e.g.
+(e.g.\&
 .Nm
-.cm extract
+.Cm extract
 .Ar sysutils/port
 would extract sysutils/portsman, sysutils/portsnap,
 sysutils/portupgrade, etc.)
@@ -206,16 +206,16 @@ of files are not needed by any particular client.
 .Sh PRIVACY NOTICE
 As an unavoidable part of its operation, a machine running
 .Nm
-will make its public IP address and the list of files it fetches 
+will make its public IP address and the list of files it fetches
 available to the server from which it fetches updates.
-Using these it may be possible to recognize a machine over an extended 
-period of time, determine when it is updated, and identify which 
-portions of the FreeBSD ports tree, if any, are being ignored using 
+Using these it may be possible to recognize a machine over an extended
+period of time, determine when it is updated, and identify which
+portions of the FreeBSD ports tree, if any, are being ignored using
 "REFUSE" directives in
 .Pa portsnap.conf .
 In addition, the FreeBSD release level is transmitted to the server.
 .Pp
-Statistical data generated from information collected in this manner 
+Statistical data generated from information collected in this manner
 may be published, but only in aggregate and after anonymizing the
 individual systems.
 .Sh FILES
@@ -228,9 +228,9 @@ Default location where compressed snapshots are stored.
 Default location where the ports tree is extracted.
 .El
 .Sh SEE ALSO
-.Xr fetch 1
-.Xr fetch 3
+.Xr fetch 1 ,
+.Xr sha256 1 ,
+.Xr fetch 3 ,
 .Xr portsnap.conf 5
-.Xr sha256 1
 .Sh AUTHORS
 .An Colin Percival Aq cperciva@FreeBSD.org
diff --git a/usr.sbin/syslogd/syslog.conf.5 b/usr.sbin/syslogd/syslog.conf.5
index bf94c41..1a86a4c 100644
--- a/usr.sbin/syslogd/syslog.conf.5
+++ b/usr.sbin/syslogd/syslog.conf.5
@@ -338,8 +338,9 @@ Selected messages are forwarded to the
 .Xr syslogd 8
 program on the named host.
 If a port number is added after a colon
-.Pq ':'
-then that port will be used as the destination port rather than the usual syslog port.
+.Pq Ql :\&
+then that port will be used as the destination port
+rather than the usual syslog port.
 .It
 A comma separated list of users.
 Selected messages are written to those users
diff --git a/usr.sbin/watchdogd/watchdog.8 b/usr.sbin/watchdogd/watchdog.8
index 0905781..9ca9fe0 100644
--- a/usr.sbin/watchdogd/watchdog.8
+++ b/usr.sbin/watchdogd/watchdog.8
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 28, 2004
+.Dd September 2, 2006
 .Dt WATCHDOG 8
 .Os
 .Sh NAME
diff --git a/usr.sbin/watchdogd/watchdogd.8 b/usr.sbin/watchdogd/watchdogd.8
index a049c1b..b00fef1 100644
--- a/usr.sbin/watchdogd/watchdogd.8
+++ b/usr.sbin/watchdogd/watchdogd.8
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 25, 2003
+.Dd September 2, 2006
 .Dt WATCHDOGD 8
 .Os
 .Sh NAME
diff --git a/usr.sbin/wpa/hostapd/hostapd.conf.5 b/usr.sbin/wpa/hostapd/hostapd.conf.5
index c83d2a8..96c8ad3 100644
--- a/usr.sbin/wpa/hostapd/hostapd.conf.5
+++ b/usr.sbin/wpa/hostapd/hostapd.conf.5
@@ -72,7 +72,8 @@ mode.
 Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 =
 excessive.
 .It Va dump_file
-Dump file for state information (on SIGUSR1).
+Dump file for state information (on
+.Dv SIGUSR1 ) .
 .It Va ctrl_interface
 The pathname of the directory in which
 .Xr hostapd 8
@@ -185,8 +186,8 @@ seconds.
 Rekey GTK when any STA that possesses the current GTK is leaving the
 BSS.
 .It Va wpa_gmk_rekey
-Time interval for rekeying GMK (master key used internally to generate GTKs
-(in seconds).
+Time interval for rekeying GMK (master key used internally to generate GTKs),
+in seconds.
 .El
 .Sh SEE ALSO
 .Xr hostapd 8 ,
diff --git a/usr.sbin/wpa/ndis_events/ndis_events.8 b/usr.sbin/wpa/ndis_events/ndis_events.8
index 0c5a64a..8cbd0cc 100644
--- a/usr.sbin/wpa/ndis_events/ndis_events.8
+++ b/usr.sbin/wpa/ndis_events/ndis_events.8
@@ -51,7 +51,8 @@ utility listens for events generated by an
 .Xr ndis 4
 wireless network driver and relays them to
 .Xr wpa_supplicant 8
-for possible processing. The three event types that can occur
+for possible processing.
+The three event types that can occur
 are media connect and disconnect events, such as when a wireless
 interface joins or leaves a network, and media-specific events.
 In particular,
@@ -64,12 +65,14 @@ needs in order to properly associate with WPA2-capable access points.
 The
 .Nm
 daemon works by listening for interface information events via
-a routing socket. When it detects an event that was generated by an
+a routing socket.
+When it detects an event that was generated by an
 .Xr ndis 4
 interface, it transmits it via UDP packet on the loopback interface,
 where
 .Xr wpa_supplicant 8
-is presumeably listening. The standard
+is presumeably listening.
+The standard
 .Xr wpa_supplicant 8
 distribution includes its own version of this utility for use with
 .Tn Windows\[rg] .
@@ -92,31 +95,35 @@ The
 daemon supports the following options:
 .Bl -tag -width indent
 .It Fl a
-Process all events. By default,
+Process all events.
+By default,
 .Nm
 will only process and forward media-specific events, which contain
 PMKID candidate information, and not bother forwarding connect and
 disconnect events, since
 .Xr wpa_supplicant 8
-normally can determine the current link state on its own. In some
+normally can determine the current link state on its own.
+In some
 cases, the additional connect and disconnect events only confuse it
 and make the association and authentication process take longer.
 .It Fl d
-Run in debug mode. This causes
+Run in debug mode.
+This causes
 .Nm
 to run in the foreground and generate any output to the standard
 error instead of using the
 .Xr syslog 3
 facility.
 .It Fl v
-Run in verbose mode. This causes
+Run in verbose mode.
+This causes
 .Nm
 to emit notifications when it receives events.
 .El
 .Sh SEE ALSO
 .Xr ndis 4 ,
-.Xr ndisapi 9 ,
-.Xr wpa_supplicant 8
+.Xr wpa_supplicant 8 ,
+.Xr ndisapi 9
 .Sh HISTORY
 The
 .Nm