Man page: uniform formatting style for options.

* Always use the long option form, except when options are introduced. * Render options in bold, with '--' prefix.
2025-12-19 10:18:25 +00:00 · 2018-06-12 17:04:54 +01:00
parent 51e4eeeb04
commit 9268b5d677
1 changed files with 136 additions and 140 deletions
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -53,13 +53,13 @@ will display DHCPv6 options.
 Don't read the hostnames in /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<file>
-Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
+Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read
 only the specified file. This option may be repeated for more than one
 additional hosts file. If a directory is given, then read all the files contained in that directory. 
 .TP
 .B --hostsdir=<path>
 Read all the hosts files contained in the directory. New or changed files
-are read automatically. See --dhcp-hostsdir for details.
+are read automatically. See \fB--dhcp-hostsdir\fP for details.
 .TP
 .B \-E, --expand-hosts
 Add the domain to simple names (without a period) in /etc/hosts
@@ -76,7 +76,7 @@ reduce the load on the server at the expense of clients using stale
 data under some circumstances.
 .TP
 .B --dhcp-ttl=<time>
-As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP.
+As for \fB--local-ttl\fP, but affects only replies with information from DHCP leases. If both are given, \fB--dhcp-ttl\fP applies for DHCP information, and \fB--local-ttl\fP for others. Setting this to zero eliminates the effect of \fB--local-ttl\fP for DHCP.
 .TP
 .B --neg-ttl=<time>
 Negative replies from upstream servers normally contain time-to-live
@@ -115,7 +115,7 @@ don't change user id, generate a complete cache dump on receipt on
 SIGUSR1, log to stderr as well as syslog, don't fork new processes
 to handle TCP queries. Note that this option is for use in debugging
 only, to stop dnsmasq daemonising in production, use 
-.B -k.
+.B --keep-in-foreground.
 .TP
 .B \-q, --log-queries
 Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
@@ -191,7 +191,6 @@ Dnsmasq picks random ports as source for outbound queries:
 when this option is given, the ports used will always be lower
 than that specified. Useful for systems behind firewalls.
 .TP
 .B \-i, --interface=<interface name>
 Listen only on the specified interface(s). Dnsmasq automatically adds
 the loopback (local) interface to the list of interfaces to use when
@@ -250,8 +249,8 @@ addresses associated with the interface.
 .B --local-service
 Accept DNS queries only from hosts whose address is on a local subnet,
 ie a subnet for which an interface exists on the server. This option
-only has effect if there are no --interface --except-interface,
+only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
--listen-address or --auth-server options. It is intended to be set as
+\fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
 a default on installation, to allow unconfigured installations to be
 useful but also safe from being used for DNS amplification attacks.
 .TP 
@@ -294,10 +293,10 @@ addresses appear, it automatically listens on those (subject to any
 access-control configuration). This makes dynamically created
 interfaces work in the same way as the default. Implementing this
 option requires non-standard networking APIs and it is only available
-under Linux. On other platforms it falls-back to --bind-interfaces mode.
+under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode.
 .TP
 .B \-y, --localise-queries
-Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was
+Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP which depend on the interface over which the query was
 received. If a name has more than one address associated with
 it, and at least one of those addresses is on the same subnet as the
 interface to which the query was sent, then return only the
@@ -402,7 +401,7 @@ these services.
 .B  --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
 Do not detect and block dns-rebind on queries to these domains. The
 argument may be either a single domain, or multiple domains surrounded
-by '/', like the --server syntax, eg. 
+by '/', like the \fB--server\fP syntax, eg.
 .B  --rebind-domain-ok=/domain1/domain2/domain3/
 .TP
 .B \-n, --no-poll
@@ -421,14 +420,13 @@ from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
 .B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
 Specify IP address of upstream servers directly. Setting this flag does
-not suppress reading of /etc/resolv.conf, use -R to do that. If one or
+not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more
 more 
 optional domains are given, that server is used only for those domains
 and they are queried only using the specified server. This is
 intended for private nameservers: if you have a nameserver on your
 network which deals with names of the form
 xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving  the flag 
-.B -S /internal.thekelleys.org.uk/192.168.1.1 
+.B --server=/internal.thekelleys.org.uk/192.168.1.1
 will send all queries for
 internal machines to that nameserver, everything else will go to the
 servers in /etc/resolv.conf. DNSSEC validation is turned off for such
@@ -440,7 +438,7 @@ has the special meaning of "unqualified names only" ie names without any
 dots in them. A non-standard port may be specified as 
 part of the IP
 address using a # character.
-More than one -S flag is allowed, with
+More than one \fB--server\fP flag is allowed, with
 repeated domain or ipaddr parts as required.
 More specific domains take precedence over less specific domains, so:
@@ -460,9 +458,9 @@ flag which gives a domain but no IP address; this tells dnsmasq that
 a domain is local and it may answer queries from /etc/hosts or DHCP
 but should never forward queries on that domain to any upstream
 servers.
-.B local
+.B --local
 is a synonym for
-.B server
+.B --server
 to make configuration files clearer in this case.
 IPv6 addresses may include an %interface scope-id, eg
@@ -493,7 +491,7 @@ is exactly equivalent to
 Specify an IP address to return for any host in the given domains.
 Queries in the domains are never forwarded and always replied to
 with the specified IP address which may be IPv4 or IPv6. To give
-both IPv4 and IPv6 addresses for a domain, use repeated \fB-A\fP flags.
+both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
 To include multiple IP addresses for a single query, use
 \fB--addn-hosts=<path>\fP instead.
 Note that /etc/hosts and DHCP leases override this for individual
@@ -523,7 +521,7 @@ for more details.
 .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
 Return an MX record named <mx name> pointing to the given hostname (if
 given), or
-the host specified in the --mx-target switch
+the host specified in the \fB--mx-target\fP switch
 or, if that switch is not given, the host on which dnsmasq 
 is running. The default is useful for directing mail from systems on a LAN
 to a central server. The preference value is optional, and defaults to
@@ -531,7 +529,7 @@ to a central server. The preference value is optional, and defaults to
 .TP 
 .B \-t, --mx-target=<hostname>
 Specify the default target for the MX record returned by dnsmasq. See
--mx-host.  If --mx-target is given, but not --mx-host, then dnsmasq
+\fB--mx-host\fP.  If \fB--mx-target\fP is given, but not \fB--mx-host\fP, then dnsmasq
 returns a MX record containing the MX target for MX queries on the 
 hostname of the machine on which dnsmasq is running.
 .TP
@@ -540,7 +538,7 @@ Return an MX record pointing to itself for each local
 machine. Local machines are those in /etc/hosts or with DHCP leases.
 .TP 
 .B \-L, --localmx
-Return an MX record pointing to the host given by mx-target (or the
+Return an MX record pointing to the host given by \fB--mx-target\fP (or the
 machine on which dnsmasq is running) for each
 local machine. Local machines are those in /etc/hosts or with DHCP
 leases.
@@ -560,22 +558,22 @@ all that match are returned.
 Add A, AAAA and PTR records to the DNS. This adds one or more names to
 the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
 appear in more than one 
-.B host-record
+.B --host-record
 and therefore be assigned more than one address. Only the first
 address creates a PTR record linking the address to the name. This is
 the same rule as is used reading hosts-files. 
-.B host-record
+.B --host-record
 options are considered to be read before host-files, so a name
 appearing there inhibits PTR-record creation if it appears in
 hosts-file also. Unlike hosts-files, names are not expanded, even when
-.B expand-hosts
+.B --expand-hosts
 is in effect. Short and long names may appear in the same 
-.B host-record,
+.B --host-record,
 eg. 
 .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
 If the time-to-live is given, it overrides the default, which is zero
-or the value of --local-ttl. The value is a positive integer and gives 
+or the value of \fB--local-ttl\fP. The value is a positive integer and gives
 the time-to-live in seconds.
 .TP
 .B \-Y, --txt-record=<name>[[,<text>],<text>]
@@ -594,7 +592,7 @@ Return an NAPTR DNS record, as specified in RFC3403.
 Return a CNAME record which indicates that <cname> is really
 <target>. There are significant limitations on the target; it must be a
 DNS name which is known to dnsmasq from /etc/hosts (or additional
-hosts files), from DHCP, from --interface-name or from another 
+hosts files), from DHCP, from \fB--interface-name\fP or from another
 .B --cname.
 If the target does not satisfy this
 criteria, the whole cname is ignored. The cname must be unique, but it
@@ -603,7 +601,7 @@ it's possible to declare multiple cnames to a target in a single line, like so:
 .B --cname=cname1,cname2,target
 If the time-to-live is given, it overrides the default, which is zero
-or the value of -local-ttl. The value is a positive integer and gives 
+or the value of \fB--local-ttl\fP. The value is a positive integer and gives
 the time-to-live in seconds.
 .TP
 .B --dns-rr=<name>,<RR-number>,[<hex data>]
@@ -624,7 +622,7 @@ matching PTR record is also created, mapping the interface address to
 the name. More than one name may be associated with an interface
 address by repeating the flag; in that case the first instance is used
 for the reverse address-to-name mapping. Note that a name used in 
--interface-name may not appear in /etc/hosts.
+\fB--interface-name\fP may not appear in /etc/hosts.
 .TP
 .B --synth-domain=<domain>,<address range>[,<prefix>[*]]
 Create artificial A/AAAA and PTR records for an address range. The
@@ -662,7 +660,7 @@ subnet as the dnsmasq server. Note that the mechanism used to achieve this (an E
 is not yet standardised, so this should be considered
 experimental. Also note that exposing MAC addresses in this way may
 have security and privacy implications. The warning about caching
-given for --add-subnet applies to --add-mac too. An alternative encoding of the 
+given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the
 MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
 .TP
 .B --add-cpe-id=<string>
@@ -753,10 +751,10 @@ which have not been thoroughly checked.
 Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
-If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
+If dnsmasq is run in debug mode (\fB--no-daemon\fP flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
 .TP
 .B --dnssec-timestamp=<path>
-Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the 
+Enables an alternative way of checking the validity of the system time for DNSSEC (see \fB--dnssec-no-timecheck\fP). In this case, the
 system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and 
 its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried 
 over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the 
@@ -789,7 +787,7 @@ interface addresses may be confined to only IPv6 addresses using
 an interface has dynamically determined global IPv6 addresses which should
 appear in the zone, but RFC1918 IPv4 addresses which should not.
 Interface-name and address-literal subnet specifications may be used
-freely in the same --auth-zone declaration.
+freely in the same \fB--auth-zone\fP declaration.
 It's possible to exclude certain IP addresses from responses. It can be
 used, to make sure that answers contain only global routeable IP
@@ -818,9 +816,9 @@ Specify the addresses of secondary servers which are allowed to
 initiate zone transfer (AXFR) requests for zones for which dnsmasq is
 authoritative. If this option is not given, then AXFR requests will be
 accepted from any secondary. Specifying
-.B auth-peer
+.B --auth-peer
 without
-.B auth-sec-servers
+.B --auth-sec-servers
 enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.
 .TP 
 .B --conntrack
@@ -831,7 +829,7 @@ associated with the queries which cause it, useful for bandwidth
 accounting and firewalling. Dnsmasq must have conntrack support
 compiled in and the kernel must have conntrack support
 included and configured. This option cannot be combined with
--query-port. 
+.B --query-port.
 .TP
 .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
 .TP
@@ -840,7 +838,7 @@ included and configured. This option cannot be combined with
 Enable the DHCP server. Addresses will be given out from the range
 <start-addr> to <end-addr> and from statically defined addresses given
 in 
-.B dhcp-host
+.B --dhcp-host
 options. If the lease time is given, then leases
 will be given for that length of time. The lease time is in seconds,
 or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
@@ -859,7 +857,7 @@ agent, dnsmasq cannot determine the netmask itself, so it should be
 specified, otherwise dnsmasq will have to guess, based on the class (A, B or
 C) of the network address. The broadcast address is
 always optional. It is always
-allowed to have more than one dhcp-range in a single subnet. 
+allowed to have more than one \fB--dhcp-range\fP in a single subnet.
 For IPv6, the parameters are slightly different: instead of netmask
 and broadcast address, there is an optional prefix length which must
@@ -883,7 +881,7 @@ then deleted. The interface name may have a final "*" wildcard. Note
 that just any address on eth0 will not do: it must not be an
 autoconfigured or privacy address, or be deprecated.
-If a dhcp-range is only being used for stateless DHCP and/or SLAAC,
+If a \fB--dhcp-range\fP is only being used for stateless DHCP and/or SLAAC,
 then the address can be simply ::
 .B --dhcp-range=::,constructor:eth0
@@ -902,7 +900,7 @@ The optional <mode> keyword may be
 which tells dnsmasq to enable DHCP for the network specified, but not
 to dynamically allocate IP addresses: only hosts which have static
 addresses given via 
-.B dhcp-host
+.B --dhcp-host
 or from /etc/ethers will be served. A static-only subnet with address
 all zeros may be used as a "catch-all" address to enable replies to all
 Information-request packets on a subnet which is provided with
@@ -913,9 +911,9 @@ For IPv4, the <mode> may be
 .B proxy
 in which case dnsmasq will provide proxy-DHCP on the specified
 subnet. (See 
-.B pxe-prompt
+.B --pxe-prompt
 and 
-.B pxe-service
+.B --pxe-service
 for details.)
 For IPv6, the mode may be some combination of
@@ -981,10 +979,10 @@ dnsmasq to always allocate the machine lap the IP address
 192.168.0.199. 
 Addresses allocated like this are not constrained to be
-in the range given by the --dhcp-range option, but they must be in
+in the range given by the \fB--dhcp-range\fP option, but they must be in
 the same subnet as some valid dhcp-range.  For
 subnets which don't need a pool of dynamically allocated addresses,
-use the "static" keyword in the dhcp-range declaration.
+use the "static" keyword in the \fB--dhcp-range\fP declaration.
 It is allowed to use client identifiers (called client
 DUID in IPv6-land) rather than
@@ -995,7 +993,7 @@ allowed to specify the client ID as text, like this:
 .B --dhcp-host=id:clientidastext,..... 
 A single
-.B dhcp-host 
+.B --dhcp-host
 may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
 .B --dhcp-host=laptop,[1234::56]
 IPv6 addresses may contain only the host-identifier part:
@@ -1016,7 +1014,7 @@ allocated to a DHCP lease, but only if a
 .B --dhcp-host
 option specifying the name also exists. Only one hostname can be
 given in a 
-.B dhcp-host
+.B --dhcp-host
 option, but aliases are possible by using CNAMEs. (See 
 .B --cname
 ).
@@ -1031,15 +1029,15 @@ useful when there is another DHCP server on the network which should
 be used by some machines.
 The set:<tag> construct sets the tag
-whenever this dhcp-host directive is in use. This can be used to 
+whenever this \fB--dhcp-host\fP directive is in use. This can be used to
 selectively send DHCP options just for this host. More than one tag
-can be set in a dhcp-host directive (but not in other places where
+can be set in a \fB--dhcp-host\fP directive (but not in other places where
 "set:<tag>" is allowed). When a host matches any
-dhcp-host directive (or one implied by /etc/ethers) then the special
+\fB--dhcp-host\fP directive (or one implied by /etc/ethers) then the special
 tag "known" is set. This allows dnsmasq to be configured to
 ignore requests from unknown machines using
 .B --dhcp-ignore=tag:!known
-If the host matches only a dhcp-host directive which cannot
+If the host matches only a \fB--dhcp-host\fP directive which cannot
 be used because it specifies an address on different subnet, the tag "known-othernet" is set.
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
@@ -1072,23 +1070,23 @@ has both wired and wireless interfaces.
 Read DHCP host information from the specified file. If a directory
 is given, then read all the files contained in that directory. The file contains 
 information about one host per line. The format of a line is the same
-as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
+as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information
 in this file is that it can be changed without re-starting dnsmasq:
 the file will be re-read when dnsmasq receives SIGHUP.
 .TP
 .B --dhcp-optsfile=<path>
 Read DHCP option information from the specified file.  If a directory
 is given, then read all the files contained in that directory. The advantage of 
-using this option is the same as for --dhcp-hostsfile: the
+using this option is the same as for \fB--dhcp-hostsfile\fP: the
-dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
+\fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that
 it is possible to encode the information in a
 .B --dhcp-boot
 flag as DHCP options, using the options names bootfile-name,
 server-ip-address and tftp-server. This allows these to be included
-in a dhcp-optsfile.
+in a \fB--dhcp-optsfile\fP.
 .TP
 .B --dhcp-hostsdir=<path>
-This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
+This is equivalent to \fB--dhcp-hostsfile\fP, except for the following. The path MUST be a
 directory, and not an individual file. Changed or new files within
 the directory are read automatically, without the need to send SIGHUP.
 If a file is deleted or changed after it has been read by dnsmasq, then the
@@ -1096,7 +1094,7 @@ host record it contained will remain until dnsmasq receives a SIGHUP, or
 is restarted; ie host records are only added dynamically.
 .TP
 .B --dhcp-optsdir=<path>
-This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
+This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP.
 .TP 
 .B \-Z, --read-ethers
 Read /etc/ethers for information about hosts for the DHCP server. The
@@ -1167,12 +1165,12 @@ a literal IP address as TFTP server name, it is necessary to do
 .B --dhcp-option=66,"1.2.3.4"
 Encapsulated Vendor-class options may also be specified (IPv4 only) using
--dhcp-option: for instance 
+\fB--dhcp-option\fP: for instance
 .B --dhcp-option=vendor:PXEClient,1,0.0.0.0 
 sends the encapsulated vendor
 class-specific option "mftp-address=0.0.0.0" to any client whose
 vendor-class matches "PXEClient". The vendor-class matching is
-substring based (see --dhcp-vendorclass for details). If a
+substring based (see \fB--dhcp-vendorclass\fP for details). If a
 vendor-class option (number 60) is sent by dnsmasq, then that is used 
 for selecting encapsulated options in preference to any sent by the
 client. It is
@@ -1185,7 +1183,7 @@ Options may be encapsulated (IPv4 only) within other options: for instance
 will send option 175, within which is the option 190. If multiple
 options are given which are encapsulated with the same option number
 then they will be correctly combined into one encapsulated option.
-encap: and vendor: are may not both be set in the same dhcp-option.
+encap: and vendor: are may not both be set in the same \fB--dhcp-option\fP.
 The final variant on encapsulated options is "Vendor-Identifying
 Vendor Options" as specified by RFC3925. These are denoted like this: 
@@ -1207,7 +1205,7 @@ needed, for example when sending options to PXELinux.
 .B --dhcp-no-override
 (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
 option space. If it can, dnsmasq moves the boot server and filename
-information (from dhcp-boot) out of their dedicated fields into
+information (from \fB--dhcp-boot\fP) out of their dedicated fields into
 DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
@@ -1217,7 +1215,7 @@ Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
 requests arriving on that interface will we relayed to a remote DHCP
 server at the server address. It is possible to relay from a single local
-address to multiple remote servers by using multiple dhcp-relay
+address to multiple remote servers by using multiple \fB--dhcp-relay\fP
 configs with the same local address and different server
 addresses. A server address must be an IP literal address, not a
 domain name. In the case of DHCPv6, the server address may be the
@@ -1226,8 +1224,8 @@ must be given, not be wildcard, and is used to direct the multicast to the
 correct interface to reach the DHCP server. 
 Access control for DHCP clients has the same rules as for the DHCP
-server, see --interface, --except-interface, etc. The optional
+server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional
-interface name in the dhcp-relay config has a different function: it
+interface name in the \fB--dhcp-relay\fP config has a different function: it
 controls on which interface DHCP replies from the server will be
 accepted. This is intended for configurations which have three
 interfaces: one being relayed from, a second connecting the DHCP
@@ -1249,7 +1247,7 @@ Map from a vendor-class string to a tag. Most DHCP clients provide a
 "vendor class" which represents, in some sense, the type of host. This option 
 maps vendor classes to tags, so that DHCP options may be selectively delivered
 to different classes of hosts. For example 
-.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
+.B --dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 will allow options to be set only for HP printers like so:
 .B --dhcp-option=tag:printers,3,192.168.4.4 
 The vendor-class string is
@@ -1284,8 +1282,8 @@ normally given as colon-separated hex, but is also allowed to be a
 simple string. If an exact match is achieved between the circuit or
 agent ID and one provided by a relay agent, the tag is set. 
-.B dhcp-remoteid
+.B --dhcp-remoteid
-(but not dhcp-circuitid) is supported in IPv6. 
+(but not \fB--dhcp-circuitid\fP) is supported in IPv6.
 .TP
 .B --dhcp-subscrid=set:<tag>,<subscriber-id>
 (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
@@ -1296,9 +1294,9 @@ a DHCP interaction to the DHCP server. Once a client is configured, it
 communicates directly with the server. This is undesirable if the
 relay agent is adding extra information to the DHCP packets, such as
 that used by
-.B dhcp-circuitid
+.B --dhcp-circuitid
 and
-.B dhcp-remoteid.
+.B --dhcp-remoteid.
 A full relay implementation can use the RFC 5107 serverid-override
 option to force the DHCP server to use the relay as a full proxy, with all
 packets passing through it. This flag provides an alternative method
@@ -1314,12 +1312,10 @@ the option is sent and matches the value. The value may be of the form
 "01:ff:*:02" in which case the value must match (apart from wildcards)
 but the option sent may have unmatched data past the end of the
 value. The value may also be of the same form as in 
-.B dhcp-option
+.B --dhcp-option
 in which case the option sent is treated as an array, and one element
 must match, so
-
+.B --dhcp-match=set:efi-ia32,option:client-arch,6
 --dhcp-match=set:efi-ia32,option:client-arch,6
 will set the tag "efi-ia32" if the the number 6 appears in the list of
 architectures sent by the client in option 93. (See RFC 4578 for
 details.)  If the value is a string, substring matching is used.
@@ -1333,9 +1329,9 @@ Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
 all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
 If no tag:<tag> appears set:<tag> tags are set unconditionally.
 Any number of set: and tag: forms may appear, in any order. 
-Tag-if lines are executed in order, so if the tag in tag:<tag> is a
+\fB--tag-if\fP lines are executed in order, so if the tag in tag:<tag> is a
 tag set by another
-.B tag-if,
+.B --tag-if,
 the line which sets the tag must precede the one which tests it.
 .TP
 .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
@@ -1344,10 +1340,10 @@ not allocate it a DHCP lease.
 .TP
 .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
 When all the given tags appear in the tag set, ignore any hostname
-provided by the host. Note that, unlike dhcp-ignore, it is permissible
+provided by the host. Note that, unlike \fB--dhcp-ignore\fP, it is permissible
 to supply no tags, in which case DHCP-client supplied hostnames
 are always ignored, and DHCP hosts are added to the DNS using only
-dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
+\fB--dhcp-host\fP configuration in dnsmasq and the contents of /etc/hosts and
 /etc/ethers.
 .TP
 .B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
@@ -1395,7 +1391,7 @@ likely to move IP address; for this reason it should not be generally used.
 .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
 Most uses of PXE boot-ROMS simply allow the PXE
 system to obtain an IP address and then download the file specified by
-.B dhcp-boot
+.B --dhcp-boot
 and execute it. However the PXE system is capable of more complex
 functions when supported by a suitable DHCP server.
@@ -1407,7 +1403,7 @@ integer may be used for other types. The
 parameter after the menu text may be a file name, in which case dnsmasq acts as a
 boot server and directs the PXE client to download the file by TFTP,
 either from itself (
-.B enable-tftp 
+.B --enable-tftp
 must be set for this to work) or another TFTP server if the final server
 address/name is given.
 Note that the "layer"
@@ -1429,23 +1425,23 @@ timeout is given then after the
 timeout has elapsed with no keyboard input, the first available menu
 option will be automatically executed. If the timeout is zero then the first available menu
 item will be executed immediately. If 
-.B pxe-prompt
+.B --pxe-prompt
 is omitted the system will wait for user input if there are multiple
 items in the menu, but boot immediately if
 there is only one. See
-.B pxe-service 
+.B --pxe-service
 for details of menu items.
 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
 the network is responsible for allocating IP addresses, and dnsmasq
 simply provides the information given in 
-.B pxe-prompt
+.B --pxe-prompt
 and
-.B pxe-service
+.B --pxe-service
 to allow netbooting. This mode is enabled using the
 .B proxy
 keyword in
-.B dhcp-range.
+.B --dhcp-range.
 .TP  
 .B \-X, --dhcp-lease-max=<number>
 Limits dnsmasq to the specified maximum number of DHCP leases. The
@@ -1498,8 +1494,8 @@ the tags used to determine them.
 .TP
 .B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
 Suppress logging of the routine operation of these protocols. Errors and
-problems will still be logged. --quiet-dhcp and quiet-dhcp6 are
+problems will still be logged. \fB--quiet-dhcp\fP and quiet-dhcp6 are
-over-ridden by --log-dhcp.
+over-ridden by \fB--log-dhcp\fP.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Use the specified file to store DHCP lease information.
@@ -1525,7 +1521,7 @@ address of the host (or DUID for IPv6) , the IP address, and the hostname,
 if known. "add" means a lease has been created, "del" means it has
 been destroyed, "old" is a notification of an existing lease when
 dnsmasq starts or a change to MAC address or hostname of an existing
-lease (also, lease length or expiry and client-id, if leasefile-ro is set).
+lease (also, lease length or expiry and client-id, if \fB--leasefile-ro\fP is set).
 If the MAC address is from a network type other than ethernet,
 it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
 token ring. The process is run as root (assuming that dnsmasq was originally run as
@@ -1699,7 +1695,7 @@ and
 Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag. 
 .TP
 .B --script-arp
-Enable the "arp" and "arp-old" functions in the dhcp-script and dhcp-luascript.
+Enable the "arp" and "arp-old" functions in the \fB--dhcp-script\fP and \fB--dhcp-luascript\fP.
 .TP
 .B \-9, --leasefile-ro
 Completely suppress use of the lease database file. The file will not
@@ -1724,9 +1720,9 @@ OpenStack compute host where each such interface is a TAP interface to
 a VM, or as in "old style bridging" on BSD platforms.  A trailing '*'
 wildcard can be used in each <alias>.
-It is permissible to add more than one alias using more than one --bridge-interface option since 
+It is permissible to add more than one alias using more than one \fB--bridge-interface\fP option since
--bridge-interface=int1,alias1,alias2 is exactly equivalent to
+\fB--bridge-interface=int1,alias1,alias2\fP is exactly equivalent to
--bridge-interface=int1,alias1 --bridge-interface=int1,alias2
+\fB--bridge-interface=int1,alias1 --bridge-interface=int1,alias2\fP
 .TP
 .B \-s, --domain=<domain>[,<address range>[,local]]
 Specifies DNS domains for the DHCP server. Domains may be be given 
@@ -1757,11 +1753,11 @@ which can change the behaviour of dnsmasq with domains.
 If the address range is given as ip-address/network-size, then a
 additional flag "local" may be supplied which has the effect of adding
--local declarations for forward and reverse DNS queries. Eg.
+\fB--local\fP declarations for forward and reverse DNS queries. Eg.
 .B --domain=thekelleys.org.uk,192.168.0.0/24,local
 is identical to
 .B --domain=thekelleys.org.uk,192.168.0.0/24
--local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
+.B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
 The network size must be 8, 16 or 24 for this to be legal.
 .TP
 .B --dhcp-fqdn
@@ -1796,7 +1792,7 @@ discovery and (possibly) prefix discovery for autonomous address
 creation are handled by a different protocol. When DHCP is in use,
 only a subset of this is needed, and dnsmasq can handle it, using
 existing DHCP configuration to provide most data. When RA is enabled,
-dnsmasq will advertise a prefix for each dhcp-range, with default
+dnsmasq will advertise a prefix for each \fB--dhcp-range\fP, with default
 router  as the relevant link-local address on 
 the machine running dnsmasq. By default, the "managed address" bits are set, and
 the "use SLAAC" bit is reset. This can be changed for individual
@@ -1851,9 +1847,9 @@ Do not abort startup if specified tftp root directories are inaccessible.
 .TP
 .B --tftp-unique-root[=ip|mac]
 Add the IP or hardware address of the TFTP client as a path component on the end
-of the TFTP-root. Only valid if a tftp-root is set and the directory exists.
+of the TFTP-root. Only valid if a \fB--tftp-root\fP is set and the directory exists.
 Defaults to adding IP address (in standard dotted-quad format).
-For instance, if tftp-root is "/tftp" and client 1.2.3.4 requests file "myfile"
+For instance, if \fB--tftp-root\fP is "/tftp" and client 1.2.3.4 requests file "myfile"
 then the effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
 When "=mac" is specified it will append the MAC address instead, using lowercase zero padded digits
 separated by dashes, e.g.: 01-02-03-04-aa-bb
@@ -1863,12 +1859,12 @@ a DHCP lease from us.
 .B --tftp-secure
 Enable TFTP secure mode: without this, any file which is readable by
 the dnsmasq process under normal unix access-control rules is
-available via TFTP. When the --tftp-secure flag is given, only files
+available via TFTP. When the \fB--tftp-secure\fP flag is given, only files
 owned by the user running the dnsmasq process are accessible. If
-dnsmasq is being run as root, different rules apply: --tftp-secure
+dnsmasq is being run as root, different rules apply: \fB--tftp-secure\fP
 has no effect, but only files which have the world-readable bit set
 are accessible. It is not recommended to run dnsmasq as root with TFTP
-enabled, and certainly not without specifying --tftp-root. Doing so
+enabled, and certainly not without specifying \fB--tftp-root\fP. Doing so
 can expose any world-readable file on the server to any host on the net. 
 .TP
 .B --tftp-lowercase
@@ -1908,7 +1904,7 @@ cannot be lower than 1025 unless dnsmasq is running as root. The number
 of concurrent TFTP connections is limited by the size of the port range. 
 .TP  
 .B \-C, --conf-file=<file>
-Specify a different configuration file. The conf-file option is also allowed in
+Specify a different configuration file. The \fB--conf-file\fP option is also allowed in
 configuration files, to include multiple configuration files. A
 filename of "-" causes dnsmasq to read configuration from stdin.
 .TP
@@ -1926,7 +1922,7 @@ escape * characters.
 .B --servers-file=<file>
 A special case of 
 .B --conf-file
-which differs in two respects. Firstly, only --server and --rev-server are allowed 
+which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed
 in the configuration file included. Secondly, the file is re-read and the configuration
 therein is updated when dnsmasq receives SIGHUP.
 .SH CONFIG FILE
@@ -1936,9 +1932,9 @@ if it exists. (On
 FreeBSD, the file is 
 .I /usr/local/etc/dnsmasq.conf
 ) (but see the 
-.B \-C
+.B \--conf-file
 and
-.B \-7
+.B \--conf-dir
 options.) The format of this
 file consists of one option per line, exactly as the long options detailed 
 in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
@@ -1954,8 +1950,8 @@ clears its cache and then re-loads
 .I /etc/hosts
 and 
 .I /etc/ethers 
-and any file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile, 
+and any file given by \fB--dhcp-hostsfile\fP, \fB--dhcp-hostsdir\fP, \fB--dhcp-optsfile\fP,
--dhcp-optsdir, --addn-hosts or --hostsdir.
+\fB--dhcp-optsdir\fP, \fB--addn-hosts\fP or \fB--hostsdir\fP.
 The dhcp lease change script is called for all
 existing DHCP leases. If 
 .B
@@ -1975,7 +1971,7 @@ misses and the number of authoritative queries answered are also given. For each
 server it gives the number of queries sent, and the number which
 resulted in an error. In 
 .B --no-daemon
-mode or when full logging is enabled (-q), a complete dump of the
+mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
 contents of the cache is made. 
 The cache statistics are also available in the DNS as answers to 
@@ -2056,7 +2052,7 @@ using
 options or put their addresses real in another file, say
 .I /etc/resolv.dnsmasq
 and run dnsmasq with the 
-.B \-r /etc/resolv.dnsmasq
+.B \--resolv-file /etc/resolv.dnsmasq
 option. This second technique allows for dynamic update of the server
 addresses by PPP or DHCP.
 .PP
@@ -2074,60 +2070,60 @@ the CNAME is shadowed too.
 The tag system works as follows: For each DHCP request, dnsmasq
 collects a set of valid tags from active configuration lines which
 include set:<tag>, including one from the 
-.B dhcp-range
+.B --dhcp-range
 used to allocate the address, one from any matching 
-.B dhcp-host
+.B --dhcp-host
-(and "known" or "known-othernet" if a dhcp-host matches) 
+(and "known" or "known-othernet" if a \fB--dhcp-host\fP matches)
 The tag "bootp" is set for BOOTP requests, and a tag whose name is the 
 name of the interface on which the request arrived is also set.
 Any configuration lines which include one or more tag:<tag> constructs
 will only be valid if all that tags are matched in the set derived
-above. Typically this is dhcp-option.
+above. Typically this is \fB--dhcp-option\fP.
-.B dhcp-option 
+.B --dhcp-option
 which has tags will be used in preference  to an untagged 
-.B dhcp-option,
+.B --dhcp-option,
 provided that _all_ the tags match somewhere in the
 set collected as described above. The prefix '!' on a tag means 'not'
-so --dhcp-option=tag:!purple,3,1.2.3.4 sends the option when the
+so \fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the
 tag purple is not in the set of valid tags. (If using this in a
 command line rather than a configuration file, be sure to escape !,
 which is a shell metacharacter)
-When selecting dhcp-options, a tag from dhcp-range is second class
+When selecting \fB--dhcp-options\fP, a tag from \fB--dhcp-range\fP is second class
 relative to other tags, to make it easy to override options for
 individual hosts, so 
-.B dhcp-range=set:interface1,......
+.B --dhcp-range=set:interface1,......
-.B dhcp-host=set:myhost,.....
+.B --dhcp-host=set:myhost,.....
-.B dhcp-option=tag:interface1,option:nis-domain,"domain1"
+.B --dhcp-option=tag:interface1,option:nis-domain,"domain1"
-.B dhcp-option=tag:myhost,option:nis-domain,"domain2"
+.B --dhcp-option=tag:myhost,option:nis-domain,"domain2"
 will set the NIS-domain to domain1 for hosts in the range, but
 override that to domain2 for a particular host.
 .PP
 Note that for 
-.B dhcp-range 
+.B --dhcp-range
 both tag:<tag> and set:<tag> are allowed, to both select the range in
-use based on (eg) dhcp-host, and to affect the options sent, based on
+use based on (eg) \fB--dhcp-host\fP, and to affect the options sent, based on
 the range selected.
 This system evolved from an earlier, more limited one and for backward
 compatibility "net:" may be used instead of "tag:" and "set:" may be
 omitted. (Except in 
-.B dhcp-host,
+.B --dhcp-host,
 where "net:" may be used instead of "set:".) For the same reason, '#'
 may be used instead of '!' to indicate NOT.
 .PP 
 The DHCP server in dnsmasq will function as a BOOTP server also,
 provided that the MAC address and IP address for clients are given,
 either using 
-.B dhcp-host 
+.B --dhcp-host
 configurations or in
 .I /etc/ethers
 , and a
-.B dhcp-range 
+.B --dhcp-range
 configuration option is present to activate the DHCP server
-on a particular network. (Setting --bootp-dynamic removes the need for
+on a particular network. (Setting \fB--bootp-dynamic\fP removes the need for
 static address mappings.) The filename
 parameter in a BOOTP request is used as a tag,
 as is the tag "bootp", allowing some control over the options returned to
@@ -2148,8 +2144,8 @@ for which dnsmasq is authoritative our.zone.com.
 The simplest configuration consists of two lines of dnsmasq configuration; something like
 .nf
-.B auth-server=server.example.com,eth0
+.B --auth-server=server.example.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-zone=our.zone.com,1.2.3.0/24
 .fi
 and two records in the external DNS
@@ -2172,8 +2168,8 @@ authoritative zone which dnsmasq is serving, typically at the root. Now
 we have
 .nf
-.B auth-server=our.zone.com,eth0
+.B --auth-server=our.zone.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-zone=our.zone.com,1.2.3.0/24
 .fi
 .nf
@@ -2192,25 +2188,25 @@ entry or
 .B --host-record.
 .nf
-.B auth-server=our.zone.com,eth0
+.B --auth-server=our.zone.com,eth0
-.B host-record=our.zone.com,1.2.3.4
+.B --host-record=our.zone.com,1.2.3.4
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-zone=our.zone.com,1.2.3.0/24
 .fi
 If the external address is dynamic, the address
 associated with our.zone.com must be derived from the address of the
 relevant interface. This is done using 
-.B interface-name
+.B --interface-name
 Something like:
 .nf
-.B auth-server=our.zone.com,eth0
+.B --auth-server=our.zone.com,eth0
-.B interface-name=our.zone.com,eth0
+.B --interface-name=our.zone.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24,eth0
+.B --auth-zone=our.zone.com,1.2.3.0/24,eth0
 .fi
-(The "eth0" argument in auth-zone adds the subnet containing eth0's
+(The "eth0" argument in \fB--auth-zone\fP adds the subnet containing eth0's
-dynamic address to the zone, so that the interface-name returns the
+dynamic address to the zone, so that the \fB--interface-name\fP returns the
 address in outside queries.)
 Our final configuration builds on that above, but also adds a
@@ -2221,7 +2217,7 @@ secondary is beyond the scope of this man-page, but the extra
 configuration of dnsmasq is simple:
 .nf
-.B auth-sec-servers=secondary.myisp.com
+.B --auth-sec-servers=secondary.myisp.com
 .fi
 and
@@ -2235,13 +2231,13 @@ secondary to collect the DNS data. If you wish to restrict this data
 to particular hosts then
 .nf
-.B auth-peer=<IP address of secondary>
+.B --auth-peer=<IP address of secondary>
 .fi
 will do so.
 Dnsmasq acts as an authoritative server for  in-addr.arpa and
-ip6.arpa domains associated with the subnets given in auth-zone
+ip6.arpa domains associated with the subnets given in \fB--auth-zone\fP
 declarations, so reverse (address to name) lookups can be simply
 configured with a suitable NS record, for instance in this example,
 where we allow 1.2.3.0/24 addresses.
@@ -2267,7 +2263,7 @@ target of the CNAME is unqualified, then it  is qualified with the
 authoritative zone name. CNAME used in this way (only) may be wildcards, as in
 .nf
-.B cname=*.example.com,default.example.com
+.B --cname=*.example.com,default.example.com
 .fi
 .PP