diff --git a/binaries/aarch64/nfqws b/binaries/aarch64/nfqws
index 23e93572..e1ed99ca 100755
Binary files a/binaries/aarch64/nfqws and b/binaries/aarch64/nfqws differ
diff --git a/binaries/aarch64/tpws b/binaries/aarch64/tpws
index a5ed7c84..c4973d31 100755
Binary files a/binaries/aarch64/tpws and b/binaries/aarch64/tpws differ
diff --git a/binaries/arm/nfqws b/binaries/arm/nfqws
index 4006c054..d0763e80 100755
Binary files a/binaries/arm/nfqws and b/binaries/arm/nfqws differ
diff --git a/binaries/arm/tpws b/binaries/arm/tpws
index b8d5ab36..c69762ee 100755
Binary files a/binaries/arm/tpws and b/binaries/arm/tpws differ
diff --git a/binaries/mips32r1-lsb/nfqws b/binaries/mips32r1-lsb/nfqws
index b19e4d78..08a6b405 100755
Binary files a/binaries/mips32r1-lsb/nfqws and b/binaries/mips32r1-lsb/nfqws differ
diff --git a/binaries/mips32r1-lsb/tpws b/binaries/mips32r1-lsb/tpws
index ced251ff..9191a07f 100755
Binary files a/binaries/mips32r1-lsb/tpws and b/binaries/mips32r1-lsb/tpws differ
diff --git a/binaries/mips32r1-msb/nfqws b/binaries/mips32r1-msb/nfqws
index d8f83f1b..3742a386 100755
Binary files a/binaries/mips32r1-msb/nfqws and b/binaries/mips32r1-msb/nfqws differ
diff --git a/binaries/mips32r1-msb/tpws b/binaries/mips32r1-msb/tpws
index 757aa7a4..44184004 100755
Binary files a/binaries/mips32r1-msb/tpws and b/binaries/mips32r1-msb/tpws differ
diff --git a/binaries/mips64r2-msb/nfqws b/binaries/mips64r2-msb/nfqws
index 4d541c95..3a30e32a 100755
Binary files a/binaries/mips64r2-msb/nfqws and b/binaries/mips64r2-msb/nfqws differ
diff --git a/binaries/mips64r2-msb/tpws b/binaries/mips64r2-msb/tpws
index 799444f6..8808138b 100755
Binary files a/binaries/mips64r2-msb/tpws and b/binaries/mips64r2-msb/tpws differ
diff --git a/binaries/ppc/nfqws b/binaries/ppc/nfqws
index b228214e..899c86c9 100755
Binary files a/binaries/ppc/nfqws and b/binaries/ppc/nfqws differ
diff --git a/binaries/ppc/tpws b/binaries/ppc/tpws
index 45eccdd4..87f3788a 100755
Binary files a/binaries/ppc/tpws and b/binaries/ppc/tpws differ
diff --git a/binaries/x86/nfqws b/binaries/x86/nfqws
index 6a37184d..d204b22d 100755
Binary files a/binaries/x86/nfqws and b/binaries/x86/nfqws differ
diff --git a/binaries/x86/tpws b/binaries/x86/tpws
index d57e1c8e..fe09f97a 100755
Binary files a/binaries/x86/tpws and b/binaries/x86/tpws differ
diff --git a/binaries/x86_64/nfqws b/binaries/x86_64/nfqws
index 0c3c9cb3..c062d553 100755
Binary files a/binaries/x86_64/nfqws and b/binaries/x86_64/nfqws differ
diff --git a/binaries/x86_64/tpws b/binaries/x86_64/tpws
index 5a82e6d8..50a11bf7 100755
Binary files a/binaries/x86_64/tpws and b/binaries/x86_64/tpws differ
diff --git a/binaries/x86_64/tpws_wsl.tgz b/binaries/x86_64/tpws_wsl.tgz
index 1aae5b8c..214388e0 100644
Binary files a/binaries/x86_64/tpws_wsl.tgz and b/binaries/x86_64/tpws_wsl.tgz differ
diff --git a/nfq/sec.c b/nfq/sec.c
index c40f1ec6..00061574 100644
--- a/nfq/sec.c
+++ b/nfq/sec.c
@@ -14,13 +14,10 @@
 #include <linux/seccomp.h>
 #include <linux/filter.h>
 #include <syscall.h>
+#include <errno.h>
 
 /************ SECCOMP ************/
-#ifdef __X32_SYSCALL_BIT
-#define X32_SYSCALL_BIT __X32_SYSCALL_BIT
-#else
-#define X32_SYSCALL_BIT 0x40000000
-#endif
+
 // block most of the undesired syscalls to harden against code execution
 static long blocked_syscalls[] = {
 #ifdef SYS_execv
@@ -116,18 +113,28 @@ static void set_filter(struct sock_filter *filter, __u16 code, __u8 jt, __u8 jf,
 	filter->k = k;
 }
 // deny all blocked syscalls
-bool set_seccomp()
+static bool set_seccomp()
 {
-#define SECCOMP_PROG_SIZE (6 + BLOCKED_SYSCALL_COUNT)
-	struct sock_fprog prog = { .len = SECCOMP_PROG_SIZE };
-	int res,i,idx=0;
+#ifdef __X32_SYSCALL_BIT
+ #define SECCOMP_PROG_SIZE (6 + BLOCKED_SYSCALL_COUNT)
+#else
+ #define SECCOMP_PROG_SIZE (5 + BLOCKED_SYSCALL_COUNT)
+#endif
+	struct sock_filter sockf[SECCOMP_PROG_SIZE];
+	struct sock_fprog prog = { .len = SECCOMP_PROG_SIZE, .filter = sockf };
+	int i,idx=0;
 
-	prog.filter = calloc(SECCOMP_PROG_SIZE, sizeof(*prog.filter));
-	if (!prog.filter) return false;
 	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, arch_nr);
+#ifdef __X32_SYSCALL_BIT
+	// x86 only
 	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 3 + BLOCKED_SYSCALL_COUNT, ARCH_NR); // fail
 	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, syscall_nr);
-	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JGT + BPF_K, 1 + BLOCKED_SYSCALL_COUNT, 0, X32_SYSCALL_BIT - 1); // fail
+	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JGT + BPF_K, 1 + BLOCKED_SYSCALL_COUNT, 0, __X32_SYSCALL_BIT - 1); // fail
+#else
+	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 1 + BLOCKED_SYSCALL_COUNT, ARCH_NR); // fail
+	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, syscall_nr);
+#endif
+
 /*
 	// ! THIS IS NOT WORKING BECAUSE perror() in glibc dups() stderr
 	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 3, SYS_write); // special check for write call
@@ -141,13 +148,9 @@ bool set_seccomp()
 	}
 	set_filter(&prog.filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_ALLOW); // success case
 	set_filter(&prog.filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL); // fail case
-	res=prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
-	free(prog.filter);
-	return res>=0;
+	return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) >= 0;
 }
 
-
-
 bool sec_harden()
 {
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
@@ -159,6 +162,7 @@ bool sec_harden()
 	if (!set_seccomp())
 	{
 		perror("seccomp");
+		if (errno==EINVAL) fprintf(stderr,"seccomp: this can be safely ignored if kernel does not support seccomp\n");
 		return false;
 	}
 #endif
@@ -167,6 +171,7 @@ bool sec_harden()
 
 
 
+
 bool checkpcap(uint64_t caps)
 {
 	if (!caps) return true; // no special caps reqd
diff --git a/tpws/sec.c b/tpws/sec.c
index 08a5d78b..9fb40d80 100644
--- a/tpws/sec.c
+++ b/tpws/sec.c
@@ -14,13 +14,10 @@
 #include <linux/seccomp.h>
 #include <linux/filter.h>
 #include <syscall.h>
+#include <errno.h>
 
 /************ SECCOMP ************/
-#ifdef __X32_SYSCALL_BIT
-#define X32_SYSCALL_BIT __X32_SYSCALL_BIT
-#else
-#define X32_SYSCALL_BIT 0x40000000
-#endif
+
 // block most of the undesired syscalls to harden against code execution
 static long blocked_syscalls[] = {
 #ifdef SYS_execv
@@ -116,18 +113,28 @@ static void set_filter(struct sock_filter *filter, __u16 code, __u8 jt, __u8 jf,
 	filter->k = k;
 }
 // deny all blocked syscalls
-bool set_seccomp()
+static bool set_seccomp()
 {
-#define SECCOMP_PROG_SIZE (6 + BLOCKED_SYSCALL_COUNT)
-	struct sock_fprog prog = { .len = SECCOMP_PROG_SIZE };
-	int res,i,idx=0;
+#ifdef __X32_SYSCALL_BIT
+ #define SECCOMP_PROG_SIZE (6 + BLOCKED_SYSCALL_COUNT)
+#else
+ #define SECCOMP_PROG_SIZE (5 + BLOCKED_SYSCALL_COUNT)
+#endif
+	struct sock_filter sockf[SECCOMP_PROG_SIZE];
+	struct sock_fprog prog = { .len = SECCOMP_PROG_SIZE, .filter = sockf };
+	int i,idx=0;
 
-	prog.filter = calloc(SECCOMP_PROG_SIZE, sizeof(*prog.filter));
-	if (!prog.filter) return false;
 	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, arch_nr);
+#ifdef __X32_SYSCALL_BIT
+	// x86 only
 	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 3 + BLOCKED_SYSCALL_COUNT, ARCH_NR); // fail
 	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, syscall_nr);
-	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JGT + BPF_K, 1 + BLOCKED_SYSCALL_COUNT, 0, X32_SYSCALL_BIT - 1); // fail
+	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JGT + BPF_K, 1 + BLOCKED_SYSCALL_COUNT, 0, __X32_SYSCALL_BIT - 1); // fail
+#else
+	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 1 + BLOCKED_SYSCALL_COUNT, ARCH_NR); // fail
+	set_filter(&prog.filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, syscall_nr);
+#endif
+
 /*
 	// ! THIS IS NOT WORKING BECAUSE perror() in glibc dups() stderr
 	set_filter(&prog.filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 3, SYS_write); // special check for write call
@@ -141,13 +148,9 @@ bool set_seccomp()
 	}
 	set_filter(&prog.filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_ALLOW); // success case
 	set_filter(&prog.filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL); // fail case
-	res=prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
-	free(prog.filter);
-	return res>=0;
+	return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) >= 0;
 }
 
-
-
 bool sec_harden()
 {
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
@@ -159,6 +162,7 @@ bool sec_harden()
 	if (!set_seccomp())
 	{
 		perror("seccomp");
+		if (errno==EINVAL) fprintf(stderr,"seccomp: this can be safely ignored if kernel does not support seccomp\n");
 		return false;
 	}
 #endif
@@ -167,6 +171,7 @@ bool sec_harden()
 
 
 
+
 bool checkpcap(uint64_t caps)
 {
 	if (!caps) return true; // no special caps reqd