Capturing ipv6 traffic with AppProxyProvider on MacOS

I have implemented an AppProxyProvider (NETransparentProxyProvider) and I am able to capture traffic with it.

I am also able to define network rules allowing me to exclude some traffic:

let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "127.0.0.1:8080")
settings.includedNetworkRules = [
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "0", remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)
]

Now the documentation states that if I want to capture localhost traffic, I need to explicitly add the following rule:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "127.0.0.0", port: "0", remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

and if I want to capture ipv6 localhost address:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "::1", port: "0", remotePrefix: 128, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

All this works great.

Now I am having trouble capturing external ipv6 traffic. For example my ISP supports ipv6 and facebook.com resolves to 2a03:2880:f128:181:face:b00c:0:25de on my machine.

I am unable to write any rule allowing me to capture with the system extension such traffic. Either I get errors that the network mask cannot be greater than 32 or the traffic simply doesn't flow through the extension.

Here's an example request that I would like to capture:

curl https://facebook.com -kvp
*   Trying [2a03:2880:f128:181:face:b00c:0:25de]:443...
* Connected to facebook.com (2a03:2880:f128:181:face:b00c:0:25de) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Meta Platforms, Inc.; CN=*.facebook.com
*  start date: Aug 26 00:00:00 2023 GMT
*  expire date: Nov 24 23:59:59 2023 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: facebook.com]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fcb5c011e00)
> GET / HTTP/2
> Host: facebook.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 301
< location: https://www.facebook.com/
< strict-transport-security: max-age=15552000; preload
< content-type: text/html; charset="utf-8"
< x-fb-debug: uWVEw8FZUIXozHae5VgKvIDY5lgH/4Aph+h+nJNJpIr7jFZIFGy9LRLGCSwPudcFBdi4Mf4rLaKsNGCBxHDmrA==
< content-length: 0
< date: Fri, 17 Nov 2023 14:14:03 GMT
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host facebook.com left intact

Can this be achieved?