support negative ACLs

An operator from CSNOG 1 asked for ability to use negative ACL, i.e. something like

view:notaddr('10.0.0.1', policy.suffix(policy.TC, {'\7example\3com'}))

to apply policy to all clients not having IP address 10.0.0.1.

Question here is how it should be configured and if we should extract ACL logic to some other place. Related: #368 (closed)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message