diff --git a/src/cni-wrapper-plugin/integration/cni_wrapper_plugin_test.go b/src/cni-wrapper-plugin/integration/cni_wrapper_plugin_test.go
index 9ed700869..ef96143cc 100644
--- a/src/cni-wrapper-plugin/integration/cni_wrapper_plugin_test.go
+++ b/src/cni-wrapper-plugin/integration/cni_wrapper_plugin_test.go
@@ -553,7 +553,7 @@ var _ = Describe("CniWrapperPlugin", func() {
 				Eventually(session).Should(gexec.Exit(0))
 
 				By("checking that the jump rules are created for that container's netout chain")
-				Expect(AllIPTablesRules("filter")).To(ContainElement("-A FORWARD -s 1.2.3.4/32 -o " + defaultIface.Name + " -j " + netoutChainName))
+				Expect(AllIPTablesRules("filter")).To(ContainElement("-A FORWARD -s 1.2.3.4/32 ! -o some-device -j " + netoutChainName))
 
 				By("checking that the default forwarding rules are created for that container")
 				Expect(AllIPTablesRules("filter")).To(gomegamatchers.ContainSequence([]string{
diff --git a/src/cni-wrapper-plugin/legacynet/netout.go b/src/cni-wrapper-plugin/legacynet/netout.go
index c2f05950e..5a3649718 100644
--- a/src/cni-wrapper-plugin/legacynet/netout.go
+++ b/src/cni-wrapper-plugin/legacynet/netout.go
@@ -30,7 +30,6 @@ type NetOut struct {
 	C2CLogging            bool
 	IngressTag            string
 	VTEPName              string
-	HostInterfaceName     string
 	DeniedLogsPerSec      int
 	AcceptedUDPLogsPerSec int
 }
@@ -75,7 +74,7 @@ func (m *NetOut) Initialize(containerHandle string, containerIP net.IP, dnsServe
 			Chain:       forwardChain,
 			JumpConditions: rules.IPTablesRule{
 				"-s", containerIP.String(),
-				"-o", m.HostInterfaceName,
+				"!", "-o", m.VTEPName,
 			},
 			Rules: []rules.IPTablesRule{
 				rules.NewNetOutRelatedEstablishedRule(),
@@ -162,7 +161,7 @@ func (m *NetOut) Cleanup(containerHandle, containerIP string) error {
 			Chain:       forwardChain,
 			JumpConditions: rules.IPTablesRule{
 				"-s", containerIP,
-				"-o", m.HostInterfaceName,
+				"!", "-o", m.VTEPName,
 			},
 		},
 		{
diff --git a/src/cni-wrapper-plugin/legacynet/netout_test.go b/src/cni-wrapper-plugin/legacynet/netout_test.go
index f86af7c16..0de70aa5d 100644
--- a/src/cni-wrapper-plugin/legacynet/netout_test.go
+++ b/src/cni-wrapper-plugin/legacynet/netout_test.go
@@ -32,7 +32,6 @@ var _ = Describe("Netout", func() {
 			Converter:             converter,
 			IngressTag:            "FEEDBEEF",
 			VTEPName:              "vtep-name",
-			HostInterfaceName:     "some-device",
 			DeniedLogsPerSec:      3,
 			AcceptedUDPLogsPerSec: 6,
 		}
@@ -89,7 +88,7 @@ var _ = Describe("Netout", func() {
 			Expect(table).To(Equal("filter"))
 			Expect(chain).To(Equal("FORWARD"))
 			Expect(position).To(Equal(1))
-			Expect(rulespec).To(Equal([]rules.IPTablesRule{{"-s", "5.6.7.8", "-o", "some-device", "--jump", "netout-some-container-handle"}}))
+			Expect(rulespec).To(Equal([]rules.IPTablesRule{{"-s", "5.6.7.8", "!", "-o", "vtep-name", "--jump", "netout-some-container-handle"}}))
 
 			table, chain, position, rulespec = ipTables.BulkInsertArgsForCall(1)
 			Expect(table).To(Equal("filter"))
@@ -337,7 +336,7 @@ var _ = Describe("Netout", func() {
 			table, chain, extraArgs = ipTables.DeleteArgsForCall(1)
 			Expect(table).To(Equal("filter"))
 			Expect(chain).To(Equal("FORWARD"))
-			Expect(extraArgs).To(Equal(rules.IPTablesRule{"-s", "5.6.7.8", "-o", "some-device", "--jump", "netout-some-container-handle"}))
+			Expect(extraArgs).To(Equal(rules.IPTablesRule{"-s", "5.6.7.8", "!", "-o", "vtep-name", "--jump", "netout-some-container-handle"}))
 
 			table, chain, extraArgs = ipTables.DeleteArgsForCall(2)
 			Expect(table).To(Equal("filter"))
diff --git a/src/cni-wrapper-plugin/main.go b/src/cni-wrapper-plugin/main.go
index 300ca8715..aff2ea36a 100644
--- a/src/cni-wrapper-plugin/main.go
+++ b/src/cni-wrapper-plugin/main.go
@@ -108,7 +108,6 @@ func cmdAdd(args *skel.CmdArgs) error {
 		AcceptedUDPLogsPerSec: n.IPTablesAcceptedUDPLogsPerSec,
 		IngressTag:            n.IngressTag,
 		VTEPName:              n.VTEPName,
-		HostInterfaceName:     defaultIfaceName,
 	}
 	if err := netOutProvider.Initialize(args.ContainerID, containerIP, localDNSServers); err != nil {
 		return fmt.Errorf("initialize net out: %s", err)
@@ -194,22 +193,13 @@ func cmdDel(args *skel.CmdArgs) error {
 		fmt.Fprintf(os.Stderr, "net in cleanup: %s", err)
 	}
 
-	defaultInterface := discover.DefaultInterface{
-		NetlinkAdapter: &adapter.NetlinkAdapter{},
-		NetAdapter:     &adapter.NetAdapter{},
-	}
-	defaultIfaceName, err := defaultInterface.Name()
-	if err != nil {
-		return fmt.Errorf("discover default interface name: %s", err) // not tested
-	}
-
 	netOutProvider := legacynet.NetOut{
 		ChainNamer: &legacynet.ChainNamer{
 			MaxLength: 28,
 		},
-		IPTables:          pluginController.IPTables,
-		Converter:         &legacynet.NetOutRuleConverter{Logger: os.Stderr},
-		HostInterfaceName: defaultIfaceName,
+		IPTables:  pluginController.IPTables,
+		Converter: &legacynet.NetOutRuleConverter{Logger: os.Stderr},
+		VTEPName:  n.VTEPName,
 	}
 
 	if err = netOutProvider.Cleanup(args.ContainerID, container.IP); err != nil {