Currently the seccomp network filter will allow all system calls which are not handled. This is problematic since future syscall additions can add new ways to do networking which would automatically be allowed.

To ensure that the seccomp filter doesn't get surprised by new kernel syscalls, a whitelist-based approach should be used instead which denies all but the allowed syscalls.