doc: properly escape non-hyphens

extensions/libxt_RAWSNAT.man

@@ -8,7 +8,7 @@ which makes it possible to change the source address either when the packet
 enters the machine or when it leaves it. The reason for this table constraint
 is that RAWNAT must happen outside of connection tracking.
 .TP
-\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
 Network address to map to. The resulting address will be constructed the
 following way: All 'one' bits in the \fImask\fR are filled in from the new
 \fIaddress\fR. All bits that are zero in the mask are filled in from the
@@ -17,13 +17,13 @@ original address.
 As an example, changing the destination for packets forwarded from an internal
 LAN to the internet:
 .IP
--t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250
--t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135
+\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
+\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
 .PP
 Note that changing addresses may influence the route selection! Specifically,
 it statically NATs packets, not connections, like the normal DNAT/SNAT targets
-would do. Also note that it can transform already-NATed connections -- as said,
-it is completely external to Netfilter's connection tracking/NAT.
+would do. Also note that it can transform already-NATed connections \(em as
+said, it is completely external to Netfilter's connection tracking/NAT.
 .PP
 If the machine itself generates packets that are to be rawnat'ed, you need a
 rule in the OUTPUT chain instead, just like you would with the stateful NAT