Syntax error in rdr

[Aquaakuma]

My jail uses the local network loopback method to connect to the Internet, and it works fine. However, when I add any rules using rdr, I get a PF error when I run bastille restart/start jail-name. This error prevents the container from connecting to the Internet, but it recovers after restarting FreeBSD. The error message is as follows:

pfctl:` DIOCGETRULES: Invalid argument
stdin:3: syntax error
pfctl: Syntax error in config file: pf rules not loaded
stdin:4: syntax error
pfctl: Syntax error in config file: pf rules not loaded

This is my rc.conf

clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="Amadeus"
#sshd_enable="YES"
inetd_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
cron_enable="YES"


# ipv4 
ifconfig_re0="DHCP"
defaultrouter="YES"

# BastilleBSD
bastille_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"


# Firewall
pf_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/usr/local/etc/pf.conf"
pflog_enable="YES"
gateway_enable="YES"

# SAMBA
samba_server_enable="YES"

This is my pf.conf

ext_if="re0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"

pass in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

This is my bastille config

#####################
## [ BastilleBSD ] ##
#####################

## default paths
bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"

## pf configuration path
bastille_pf_conf="/usr/local/etc/pf.conf"                                       ## default: "/etc/pf.conf"

## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"

## bootstrap archives, which components of the OS to install.
## base  - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src   - The source code to the kernel + userland
## test  - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base"                                    ## default: "base"

## default timezone
bastille_tzdata=""                                                    ## default: empty to use host's time zone

## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"

## bootstrap urls
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"          ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"

## ZFS options
bastille_zfs_enable="YES"                                                ## default: ""
bastille_zfs_zpool="zroot"                                                 ## default: ""
bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"

## Export/Import options
bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"

## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
bastille_network_pf_table="jails"                                     ## default: "jails"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway=""                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

## Default Templates
bastille_template_base="default/base"                                 ## default: "default/base"
bastille_template_empty=""                                            ## default: "default/empty"
bastille_template_thick="default/thick"                               ## default: "default/thick"
bastille_template_clone="default/clone"                               ## default: "default/clone"
bastille_template_thin="default/thin"                                 ## default: "default/thin"
bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"

[Aquaakuma]

I tried setting ip6 = disable and deleting allow.mlock = 1, and it worked fine. However, I don't know why allow.mlock = 1 is necessary for me.