hi all unfortunately authpf does not delete nat state when user disconnected. I saw this problem and I couldnot find any good solution . It looks there is a bug in authpf . I wrote ksh script that can solve this problem in clean way. I think this can be very useful temporary solution until OpenBSD can fix this bug. I named this script clean_authpf_natstate.sh and its content follows her
*#!/bin/ksh old_users=""; ( while true; do users=`pfctl -t authpf_users -T show 2> /dev/null`; for old in $old_users; do if ! echo $users|fgrep -q $old ; then for ID in $(pfctl -ss -vv|grep -e "^[a-z"] -e id\:|grep -A 1 $old|awk '/id:/{print $2}'); do pfctl -k id -k $ID > /dev/null 2> /dev/null done fi done sleep 1 old_users=$users done ) &*