The optional flag --filter-system-calls was not applied even if specified.

This is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd.

Reduced sandboxing of the netfoil binary.