diff --git a/landlock/config.go b/landlock/config.go
index 2fda1f7..430920d 100644
--- a/landlock/config.go
+++ b/landlock/config.go
@@ -291,7 +291,8 @@ func (c Config) compatibleWithABI(abi abiInfo) bool {
 // restrictTo returns a config that is a subset of c and which is compatible with the given ABI.
 func (c Config) restrictTo(abi abiInfo) Config {
 	return Config{
-		handledAccessFS: c.handledAccessFS.intersect(abi.supportedAccessFS),
-		bestEffort:      true,
+		handledAccessFS:  c.handledAccessFS.intersect(abi.supportedAccessFS),
+		handledAccessNet: c.handledAccessNet.intersect(abi.supportedAccessNet),
+		bestEffort:       true,
 	}
 }
diff --git a/landlock/net_opt.go b/landlock/net_opt.go
index 0de167d..6aa0bd9 100644
--- a/landlock/net_opt.go
+++ b/landlock/net_opt.go
@@ -44,10 +44,15 @@ func (n NetRule) compatibleWithConfig(c Config) bool {
 }
 
 func (n NetRule) addToRuleset(rulesetFD int, c Config) error {
+	if n.access == 0 {
+		// Adding this to the ruleset would be a no-op
+		// and result in an error.
+		return nil
+	}
 	flags := 0
 	attr := &ll.NetPortAttr{
 		AllowedAccess: uint64(n.access),
-		Port:          n.port,
+		Port:          uint64(n.port),
 	}
 	return ll.LandlockAddNetPortRule(rulesetFD, attr, flags)
 }
diff --git a/landlock/restrict_downgrade_test.go b/landlock/restrict_downgrade_test.go
index e545931..d867091 100644
--- a/landlock/restrict_downgrade_test.go
+++ b/landlock/restrict_downgrade_test.go
@@ -96,3 +96,24 @@ func TestDowngradeAccessFS(t *testing.T) {
 		})
 	}
 }
+
+func TestDowngradeNetwork(t *testing.T) {
+	cfg := Config{handledAccessNet: ll.AccessNetConnectTCP}
+	abi := abiInfos[3] // does not have networking support
+	rules := []Rule{ConnectTCP(53)}
+	gotCfg, _ := downgrade(cfg, rules, abi)
+
+	if gotCfg.handledAccessNet != 0 {
+		t.Errorf("downgrade to v3 should remove networking support, but resulted in %v", gotCfg)
+	}
+}
+
+func TestDowngradeNoop(t *testing.T) {
+	cfg := V5.BestEffort()
+	abi := abiInfos[5]
+	gotCfg, _ := downgrade(cfg, []Rule{}, abi)
+
+	if gotCfg != cfg {
+		t.Errorf("downgrade should have been a no-op.\n got %v,\nwant %v", gotCfg, cfg)
+	}
+}
diff --git a/landlock/syscall/landlock.go b/landlock/syscall/landlock.go
index 72b2886..ca2fc17 100644
--- a/landlock/syscall/landlock.go
+++ b/landlock/syscall/landlock.go
@@ -75,5 +75,5 @@ type PathBeneathAttr struct {
 // NetPortAttr specifies which ports can be used for what.
 type NetPortAttr struct {
 	AllowedAccess uint64
-	Port          uint16
+	Port          uint64
 }