From 34c2d5276194a04512945e0eb9f6a881055a63d3 Mon Sep 17 00:00:00 2001
From: Cyrill Troxler <cyrilltroxler@gmail.com>
Date: Sun, 22 Feb 2026 22:17:58 +0100
Subject: [PATCH 1/2] fix: close bpf maps on stop

---
 activator/activator.go | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/activator/activator.go b/activator/activator.go
index 36213a3..099bd0e 100644
--- a/activator/activator.go
+++ b/activator/activator.go
@@ -181,11 +181,16 @@ func (s *Server) Stop(ctx context.Context) {
 	}
 
 	for _, l := range s.listeners {
-		l.Close()
+		if err := l.Close(); err != nil {
+			log.G(ctx).WithError(err).Error("closing listener")
+		}
 	}
 
-	log.G(ctx).Debugf("removing %s", PinPath(s.sandboxPid))
+	if err := s.closeMaps(); err != nil {
+		log.G(ctx).WithError(err).Error("closing bpf maps")
+	}
 
+	log.G(ctx).Debugf("removing %s", PinPath(s.sandboxPid))
 	_ = os.RemoveAll(PinPath(s.sandboxPid))
 
 	s.wg.Wait()
@@ -393,6 +398,26 @@ func (s *Server) loadPinnedMaps() error {
 	return nil
 }
 
+func (s *Server) closeMaps() error {
+	errs := []error{}
+	if s.maps.ActiveConnections != nil {
+		errs = append(errs, s.maps.ActiveConnections.Close())
+	}
+	if s.maps.DisableRedirect != nil {
+		errs = append(errs, s.maps.DisableRedirect.Close())
+	}
+	if s.maps.EgressRedirects != nil {
+		errs = append(errs, s.maps.EgressRedirects.Close())
+	}
+	if s.maps.IngressRedirects != nil {
+		errs = append(errs, s.maps.IngressRedirects.Close())
+	}
+	if s.maps.SocketTracker != nil {
+		errs = append(errs, s.maps.SocketTracker.Close())
+	}
+	return errors.Join(errs...)
+}
+
 func (s *Server) mapPath(name string) string {
 	return filepath.Join(PinPath(s.sandboxPid), name)
 }

From b51a5c31e3e71ce8935e3dada472162d92577ea3 Mon Sep 17 00:00:00 2001
From: Cyrill Troxler <cyrilltroxler@gmail.com>
Date: Sun, 22 Feb 2026 22:18:49 +0100
Subject: [PATCH 2/2] fix: close netNS on stop

not closing the netns will leave it open for the lifetime the shim
---
 shim/container.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shim/container.go b/shim/container.go
index cece9db..cab9317 100644
--- a/shim/container.go
+++ b/shim/container.go
@@ -324,6 +324,7 @@ func (c *Container) Stop(ctx context.Context) {
 	c.sendEvent(status)
 	c.StopActivator(ctx)
 	c.cleanupImage(ctx)
+	_ = c.netNS.Close()
 }
 
 func (c *Container) cleanupImage(ctx context.Context) {