Hello, recently, i migrated an old pf_old.conf file (OpenBSD 4.4) to the new pf_new.conf grammar of OpenBSD 5.0. In the pf_old.conf there is a line with a user restriction "user <user>". As the old manpage of pf.conf states, just tcp/udp protocols are handled and other ignored. Which means, in the pf_old.conf the rules are loaded even without tcp/udp flags. With the new version, the tcp/udp flags has to be set in the rule, otherwise an error is thrown (see below) and the rules will not be loaded into the pf engine. ... user only applies to tcp/udo ... skipping rule due to errors
Unfurtonately this can lead to faults during a migration (without the knowledge of this fact). From my point of view, the manpage of pf.conf should be updated with the comment, that the option "user <user>" HAS TO BE bound to an protocol otherwise the rules will not be loaded. Kind regards