diff --git a/roles/lmn_exam/files/pam-exec.sh b/roles/lmn_exam/files/pam-exec.sh
index f905cfc..4f54861 100644
--- a/roles/lmn_exam/files/pam-exec.sh
+++ b/roles/lmn_exam/files/pam-exec.sh
@@ -5,16 +5,10 @@
 
 if [[ "${PAM_USER}" =~ -exam$ ]]; then
   systemctl start firewalld.service
-  if [[ -f /usr/local/sbin/no-way-out-nftable ]]; then
-    /usr/local/sbin/no-way-out-nftable || true
-  fi
   if systemctl is-enabled --quiet libvirtd.service; then
     systemctl restart libvirtd.service
   fi
 elif ! (users | grep -q -- "-exam"); then
-  if /usr/sbin/nft list tables | /usr/bin/grep -q filtermacvtap; then
-    /usr/sbin/nft delete table netdev filtermacvtap || true
-  fi
   systemctl stop firewalld.service
   if systemctl is-enabled --quiet libvirtd.service; then
     systemctl restart libvirtd.service
diff --git a/roles/lmn_exam/tasks/main.yml b/roles/lmn_exam/tasks/main.yml
index 838fd68..aba8b29 100644
--- a/roles/lmn_exam/tasks/main.yml
+++ b/roles/lmn_exam/tasks/main.yml
@@ -62,25 +62,13 @@
     src: no-way-out.xml.j2
     dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml"
     mode: '0644'
-  vars:
-    zones:
-      - HOST
-      - "{{ 'libvirt' if vm_support | default(false) else '' }}"
-  loop: "{{ zones | reject('match','^$') }}"
+  loop:
+    - HOST
+    - libvirt
   when:
     - exam_destination_allowed_ipv4 is defined
     - exam_destination_allowed_ipv4 | length > 0
 
-- name: Install no-way-out nf-table for macvtap device
-  ansible.builtin.template:
-    src: no-way-out-nftable.j2
-    dest: "/usr/local/sbin/no-way-out-nftable"
-    mode: '0755'
-  when:
-    - exam_destination_allowed_ipv4 is defined
-    - exam_destination_allowed_ipv4 | length > 0
-    - vm_support is defined and vm_support
-
 - name: Enable login script via pam_exec.so
   ansible.builtin.lineinfile:
     dest: /etc/pam.d/common-session
diff --git a/roles/lmn_exam/templates/no-way-out-nftable.j2 b/roles/lmn_exam/templates/no-way-out-nftable.j2
deleted file mode 100644
index 2c6efb8..0000000
--- a/roles/lmn_exam/templates/no-way-out-nftable.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/bash
-
-set -eu
-
-interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
-gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")
-
-filterchain=""
-for interface in ${interfaces}; do
-  filterchain=$(cat <<- EOF
-${filterchain}
-
-    chain filterin_${interface} {
-        type filter hook ingress device ${interface} priority filter; policy drop;
-        ip saddr \$allowed_ipv4 accept
-        ip saddr ${gateway} accept;
-        ip saddr 255.255.255.255 accept;
-    }
-
-    chain filterout_${interface} {
-        type filter hook egress device ${interface} priority filter; policy drop;
-        ip daddr \$allowed_ipv4 accept
-        ip daddr ${gateway} accept;
-        ip daddr 255.255.255.255 accept;
-    }
-EOF
-)
-done
-
-
-
-nft_table=$(cat <<- EOF
-define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }
-
-table netdev filtermacvtap {
-${filterchain}
-}
-EOF
-)
-
-echo "$nft_table" | /usr/sbin/nft -f -