support negative ACLs
An operator from CSNOG 1 asked for ability to use negative ACL, i.e. something like
view:notaddr('10.0.0.1', policy.suffix(policy.TC, {'\7example\3com'}))
to apply policy to all clients not having IP address 10.0.0.1
.
Question here is how it should be configured and if we should extract ACL logic to some other place. Related: #368 (closed)