diff --git a/pkg/nfqinterceptor/nfqinterceptor.go b/pkg/nfqinterceptor/nfqinterceptor.go
index bdb662c..5ede4dc 100644
--- a/pkg/nfqinterceptor/nfqinterceptor.go
+++ b/pkg/nfqinterceptor/nfqinterceptor.go
@@ -64,13 +64,19 @@ type nfqInterceptor struct {
 	queueid             int
 	NetfilterBug1766Fix bool
 	interceptAll        bool //!c.config.AdminNetworkPolicy && !c.config.BaselineAdminNetworkPolicy
+
+	//populated late and saved for close
+	nf *nfqueue.Nfqueue
 }
 
-func (n nfqInterceptor) Stop(ctx context.Context) {
+func (n *nfqInterceptor) Stop(ctx context.Context) {
 	n.cleanNFTablesRules(ctx)
+	if n.nf != nil {
+		n.nf.Close()
+	}
 }
 
-func (n nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) int) error {
+func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) int) error {
 	logger := klog.FromContext(ctx)
 	registerMetrics(ctx)
 	go wait.UntilWithContext(ctx, func(ctx context.Context) {
@@ -117,7 +123,6 @@ func (n nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolic
 		logger.Info("could not open nfqueue socket", "error", err)
 		return err
 	}
-	defer nf.Close()
 
 	logger.Info("Syncing nftables rules")
 	_ = n.Sync(ctx, sets.Set[string]{}, sets.Set[string]{}) //why bother with empties?