Layer-7 rule not recognising src-address-list

RouterOS General
1

I have the following rule:

add action=reject chain=forward comment="Drop certain services during the morning" disabled=yes layer7-protocol=DENIED log=yes \
    log-prefix="DROP FACEBOOK 0800-1300 WEEKDAYS" reject-with=icmp-admin-prohibited  \
    time=8h-13h,mon,tue,wed,thu,fri,sat

This works fine. Between 8 and 13h, access to the servers specified in layer-7 DENIED is not possible.

DENIED is defined as follows:

^.+(facebook.com|youtube).*$

However, when I add a src-address-list=!Allowed_restricted_services to exclude certain source addresses from the rule, they are still blocked, ie they still cannot access youtube.

add action=reject chain=forward comment=“Drop certain services during the morning” disabled=yes layer7-protocol=DENIED log=yes
log-prefix=“DROP FACEBOOK 0800-1300 WEEKDAYS” reject-with=icmp-admin-prohibited src-address-list=!Allowed_restricted_services
time=8h-13h,mon,tue,wed,thu,fri,sat

What is happening here that I don’t understand?

This is not a rule order issue, I believe. If I disable the whole rule, traffic flows right away. If I don’t have src-address-list=!Allowed_restricted_services in the rule, it’s blocked for all, so why doesn’t src-address-list=!Allowed_restricted_services allow the specified ip addresses?

23   ;;; Old Server
     Allowed_restricted_services        192.168.1.118                                           dec/12/2017 09:08:27
24   ;;; Pieter's Lenovo
     Allowed_restricted_services        192.168.1.158                                           dec/12/2017 09:11:24
25   ;;; Nyreen's iPhone
     Allowed_restricted_services        192.168.1.71                                            dec/12/2017 09:13:08
26   ;;; New Server
     Allowed_restricted_services        192.168.1.111                                           dec/12/2017 09:24:30
27   ;;; Rudolf's iPhone
     Allowed_restricted_services        192.168.1.195                                           dec/12/2017 09:26:09
28   ;;; Rudolf's iPad Air
     Allowed_restricted_services        192.168.1.58                                            dec/12/2017 09:27:16
29   ;;; Pieter's iPad
     Allowed_restricted_services        192.168.1.94                                            dec/12/2017 09:27:38
30   ;;; Heinrich's Macbook Air
     Allowed_restricted_services        192.168.1.178                                           dec/12/2017 09:29:29
31   ;;; Rudolf's Laptop
     Allowed_restricted_services        192.168.1.139                                           dec/12/2017 09:30:31
32   ;;; Pieter's Home
     Allowed_restricted_services        192.168.1.110                                           dec/12/2017 09:31:38
33   ;;; Heinrich's Cellphone
     Allowed_restricted_services        192.168.1.113                                           dec/12/2017 09:32:12
34   ;;; Nyreen's Mac
     Allowed_restricted_services        192.168.1.127                                           dec/13/2017 12:14:23