Rules in pf.conf that specify a 'user' parameter are ignored when the
destination is an IPv6 link local address.

Is this a known bug, limitation, or expected behaviour?

The effect is somewhat worse when the 'user' parameter is used in a block
rule, as during casual testing with globally scoped IPv6 addresses it appears
to work, and yet the blocked UIDs can still access link-local addresses that
are expected to be blocked, (see second example).


Minimal reproducer:

Local IPs: 192.168.1.1, 2001:db8:ffff::1, fe80::1111:2222:3333:4444

# cat /etc/pf.conf
block return
pass out proto tcp user 1000

As root:

telnet 192.168.1.2			Fails as expected
telnet 2001:db8:ffff::2			Fails as expected
telnet fe80::1111:2222:3333:4444%rge0	Fails as expected

As UID 1000:

telnet 192.168.1.2			Works as expected
telnet 2001:db8:ffff::2			Works as expected
telnet fe80::1111:2222:3333:4444%rge0	Fails !?


Second example:

Local IPs: 192.168.1.1, 2001:db8:ffff::1, fe80::1111:2222:3333:4444

# cat /etc/pf.conf
block return
pass out
block out proto tcp user 1000

As root:

telnet 192.168.1.2			Works as expected
telnet 2001:db8:ffff::2			Works as expected
telnet fe80::1111:2222:3333:4444%rge0	Works as expected

As UID 1000:

telnet 192.168.1.2			Fails as expected
telnet 2001:db8:ffff::2			Fails as expected
telnet fe80::1111:2222:3333:4444%rge0	Works :-(