This uses NFQUEUE to get real-time userspace access to the ability to decide which connections to allow. NFQUEUE users must return a verdict on the packet (skb? I don't recall) before the packet continues to flow through the system. Using seccomp you don't get the opportunity to pass that up to a user to decide which action to take. Using other eBPF consumers are similar (since it represents a risk).