pfctl Recursive in anchor broken(DIOCGETRULES: Invalid argument)?

[Jov]

hi hackers,
I use fail2ban today and find pfctl recursive anchor do not work, it report
nothing(pfctl -a 'f2b/*' -sr) or get all main rule and a warning(pfctl -a
'*' -sr,get DIOCGETRULES: Invalid argument).

detail:

# pfctl -a 'f2b' -sA
>   f2b/dovecot
>   f2b/dovecot-auth-worker
>   f2b/pam-generic
>   f2b/postfix
>   f2b/sshd

#pfctl -a 'f2b/sshd' -sr
> block drop quick proto tcp from <f2b-sshd> to any port = 46
> #pfctl -a 'f2b/sshd/*' -sr
> block drop quick proto tcp from <f2b-sshd> to any port = 46
> pfctl -a 'f2b/*' -sr
> # pfctl -a '*' -sr | less
> pfctl: DIOCGETRULES: Invalid argument
> scrub in all fragment reassemble
> block drop in log on vtnet0 all
> block drop out log on vtnet0 all
> ....other main rule


rules in /etc/pf.conf:

> block in log on $ext_if
> block out log on $ext_if
> anchor "f2b/*"


from man page of pfctl:

> By default, recursive inline printing of anchors applies only to
>              unnamed anchors specified inline in the ruleset.  If the
> anchor
>              name is terminated with a ‘*’ character, the -s flag will
>              recursively print all anchors in a brace delimited block.  For
>              example the following will print the “authpf” ruleset
>              recursively:
>                    # pfctl -a 'authpf/*' -sr
>              To print the main ruleset recursively, specify only ‘*’ as the
>              anchor name:
>                    # pfctl -a '*' -sr


any idea?