I noticed few possible small bugs:
Pfctl's arguments, like -Tl (load tables only), -R (load rules only) remove
option "set skip on" (other options like timeouts seem to be fine). I
haven't checked other "load only" pfctl's, but they probably have similar
effect. Simple workaround is to provide -O as well.
In filter rules, user X:Y is treated as a username, instead of range (><
works properly though).
Also, synproxy ignores route-to. But after digging in some archives, it's
seems to be known issue.
