Very complicated....
It would need to activate log in the pf rule, monitor tcpdump with a script to retain connections attempts of a given host...
For your information you do not need to use
sysutils/expiretable
This command does the same for a table named "Blacklist"
pfctl -t Blacklist - T expire 86400 # 86400 seconds
(
https://www.freebsd.org/doc/handbook/firewalls-pf.html)
In fact if you update to FreeBSD 11.1, now Blacklistd can do that for you for SSH, FTPD.
By default, Blacklistd records 3 failures to connect (it's up to you to set it to 2 or 1) of a given host for a given service and insert it in its banning database for a given period set in config file. So blacklistd communicates with PF or IPFW and set up a banning rule and create a banning table. At the expiry date, blacklistd cleans the banning table of the firewall.
If you want to unban an IP before the expiry date, just manipulate the firewall tables (portxxx) and remove the IP. Host will be added again if it fails again to connect x times.
If a given host is already banned and tries to connect further but without reaching the critical number of failures, I don't know if blacklistd resets the time to expiry date at this moment, interesting point because it would answer your question.
Here is a little guide to setup blacklistd with PF or IPFW
https://people.freebsd.org/~lidl/blacklistd.html
Try, test and tell us more about the behaviour of blacklistd