Ability to specify exempt CIDRs in Security Policy

[Thakurvaibhav]

Description:
I have a security policy that I would like to apply to all source IPs except for a certain CIDR. Example:
A security policy for my backend which would:

1. Allow traffic if it originates from a certain CIDR and has certain claims in the JWT
2. Allow traffic if it originates from CIDR, not in 1

The following policy will not work:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-jwt-claim
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend
  jwt:
    providers:
    - name: example
      issuer: https://foo.bar.com/
      remoteJWKS:
        uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json
  authorization:
    defaultAction: Deny
    rules:
    - name: "conditional-allow-for-customer-1"
      action: Allow
      principal:
        clientCIDRs:
        - 10.0.1.0/24
        jwt:
          provider: example
          scopes: ["read", "add", "modify"]
          claims:
          - name: user.name
            values: ["John Doe"]
    - name: "allow-for-other-customers"
      action: Allow

because blocklist cidr condition will match the second rule

Relevant Slack Conversation: https://envoyproxy.slack.com/archives/C03E6NHLESV/p1739480718458779

[Thakurvaibhav]

It would be nice to have a not principal supported.