No, there was no bug where I suspected one. If rules with 'user = unknown' don't match packets, that means those packets are part of connections that originate from or end on the firewall itself.
You mention SSH and NTP traffic. Are you sure you're not ssh'ing from or into the firewall? And sure that it's not the firewall doing NTP queries (or answering NTP queries)? I agree it's annoying that the uid/gid of the packet isn't logged, but the reason is that the lookup isn't cheap, and doing it for all logged packets would make logging a more expensive operation. Can you provide a pflog output line which shows a packet that you expect to be passed by a rule using 'user = unknown'? Daniel
