diff --git a/doc/ChangeLog b/doc/ChangeLog
index b5fd9e7a5..22a0711b2 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,12 @@
 2011-07-07  Vadim Kurland  <vadim@netcitadel.com>
 
+	* PFImporter.cpp (makeAddressObj): see #2546 "PF import - negation
+	inside of inline tables is ignored". Since we can not import
+	address lists or tables that contain a mix of negated and
+	non-negated items, importer should display an error when it
+	enounters one of these and mark all rules that use it as "broken"
+	(rule is colored red and error message is added to the comment).
+
 	* PFImporter.cpp (makeAddressObj): see #2556 "PF import: impor of
 	rules referring to undefined macros". If pf.conf file uses an
 	undefined macro (there is $macro somewhere but the macro has never
diff --git a/src/import/Importer.cpp b/src/import/Importer.cpp
index 263ce2bb4..d55990ca0 100644
--- a/src/import/Importer.cpp
+++ b/src/import/Importer.cpp
@@ -1016,3 +1016,18 @@ void Importer::rearrangeVlanInterfaces()
 
 }
 
+void Importer::registerBrokenObject(FWObject *obj, const QString &err)
+{
+    broken_objects[obj] = err;
+}
+
+bool Importer::isObjectBroken(FWObject *obj)
+{
+    return broken_objects.count(obj) != 0;
+}
+
+QString Importer::getBrokenObjectError(FWObject *obj)
+{
+    return broken_objects[obj];
+}
+
diff --git a/src/import/Importer.h b/src/import/Importer.h
index db3f772fd..9700fb7db 100644
--- a/src/import/Importer.h
+++ b/src/import/Importer.h
@@ -142,6 +142,13 @@ protected:
     // use this to quickly find objects to avoid creating duplicates
     std::map<const std::string,libfwbuilder::FWObject*>   all_objects;
 
+    // registry of broken objects. Sometimes we create an AddressTable
+    // or a group object during import that may have some kind of a problem
+    // that we leave for the user to fix manually. In order to be able to mark
+    // all rules that use this object as "broken", we should register these
+    // broken objects somewhere.
+    std::map<libfwbuilder::FWObject*, QString> broken_objects;
+    
     UnidirectionalRuleSet* current_ruleset;
     
     libfwbuilder::Rule* current_rule;
@@ -203,6 +210,10 @@ protected:
     virtual void addOSrv();
 
     virtual void addLogging();
+
+    void registerBrokenObject(libfwbuilder::FWObject *o, const QString &err);
+    bool isObjectBroken(libfwbuilder::FWObject*);
+    QString getBrokenObjectError(libfwbuilder::FWObject*);
     
 public:
 
diff --git a/src/import/PFImporter.cpp b/src/import/PFImporter.cpp
index 6eb8b0ba4..4cf12d90c 100644
--- a/src/import/PFImporter.cpp
+++ b/src/import/PFImporter.cpp
@@ -587,7 +587,12 @@ FWObject* PFImporter::makeAddressObj(AddressSpec &as)
 
     if (as.at == AddressSpec::TABLE)
     {
-        return address_table_registry[as.address.c_str()];
+        FWObject *at = address_table_registry[as.address.c_str()];
+        if (isObjectBroken(at))
+        {
+            error_tracker->registerError(getBrokenObjectError(at));
+        }
+        return at;
     }
 
     return NULL;
@@ -1375,21 +1380,28 @@ void PFImporter::newAddressTableObject(const string &name,
                     .arg(QString::fromUtf8(name.c_str()))
                     .arg(addr_list.join(", ")));
 
-    if (has_negations)
-    {
-        // can not use error_tracker->registerError() here because
-        // tables are created before importer encounters any rules and
-        // so this error can not be associated with a rule.
-        addMessageToLog(
-            QObject::tr("Error: import of table definition with negated addresses is not supported."));
-    }
-
     ObjectMaker maker(Library::cast(library), error_tracker);
     FWObject *og =
         commitObject(maker.createObject(ObjectGroup::TYPENAME, name.c_str()));
     assert(og!=NULL);
     address_table_registry[name.c_str()] = og;
 
+    if (has_negations)
+    {
+        // can not use error_tracker->registerError() here because
+        // tables are created before importer encounters any rules and
+        // so this error can not be associated with a rule.
+        QString err =
+            QObject::tr("Error: import of table definition with negated "
+                        "addresses is not supported.");
+        addMessageToLog(err);
+
+        err =
+            QObject::tr("Address table '%1' has a mix of negated and non-negated "
+                        "addresses in the original file.");
+        registerBrokenObject(og, err.arg(QString::fromUtf8(name.c_str())));
+    }
+
     for (it=addresses.begin(); it!=addresses.end(); ++it)
     {
         FWObject *obj = makeAddressObj(*it);
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.conf b/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
index 85b430f7d..baf82a3da 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
@@ -10,3 +10,9 @@ table <dst_addresses_1> { 192.168.1.1, 192.168.1.2, 192.168.2.0/24 }
 table <dst_addresses_2> { pcn0, pcn0:network }
 table <dst_addresses_3> { pcn0:peer, pcn0:0 }
 table <dst_addresses_4> { www.fwbuilder.org, www.netcitadel.com }
+
+# unsupported: this table has a mix of negated and non-negated addresses
+table <dst_addresses_5> { 192.168.10.1, !192.168.10.2, 192.168.20.0/24 }
+
+# the rule should be marked as "broken"
+pass in quick on em1 from <dst_addresses_5> to any
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb b/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
index 34418c699..1d1ffc76a 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1307340472" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1310086930" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -434,75 +434,107 @@
       <ObjectGroup id="id2" name="Addresses" comment="" ro="False">
         <IPv4 id="id3" name="h-192.168.1.1" comment="Created during import of  line 9" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
         <IPv4 id="id4" name="h-192.168.1.2" comment="Created during import of  line 9" ro="False" address="192.168.1.2" netmask="255.255.255.255"/>
+        <IPv4 id="id5" name="h-192.168.10.1" comment="Created during import of  line 15" ro="False" address="192.168.10.1" netmask="255.255.255.255"/>
+        <IPv4 id="id6" name="h-192.168.10.2" comment="Created during import of  line 15" ro="False" address="192.168.10.2" netmask="255.255.255.255"/>
       </ObjectGroup>
-      <ObjectGroup id="id5" name="DNS Names" comment="" ro="False">
-        <DNSName id="id6" dnsrec="www.fwbuilder.org" dnsrectype="A" run_time="True" name="www.fwbuilder.org" comment="" ro="False"/>
-        <DNSName id="id7" dnsrec="www.netcitadel.com" dnsrectype="A" run_time="True" name="www.netcitadel.com" comment="" ro="False"/>
+      <ObjectGroup id="id7" name="DNS Names" comment="" ro="False">
+        <DNSName id="id8" dnsrec="www.fwbuilder.org" dnsrectype="A" run_time="True" name="www.fwbuilder.org" comment="" ro="False"/>
+        <DNSName id="id9" dnsrec="www.netcitadel.com" dnsrectype="A" run_time="True" name="www.netcitadel.com" comment="" ro="False"/>
       </ObjectGroup>
-      <ObjectGroup id="id8" name="Address Tables" comment="" ro="False">
-        <AddressTable id="id9" filename="" run_time="True" name="mike" comment="" ro="False"/>
-        <AddressTable id="id10" filename="" run_time="True" name="BLOCKTEMP" comment="" ro="False"/>
-        <AddressTable id="id11" filename="./pf_block_permanent" run_time="True" name="BLOCKPERM" comment="" ro="False"/>
-        <AddressTable id="id12" filename="./pf_table" run_time="True" name="BLOCK" comment="" ro="False"/>
-        <AddressTable id="id13" filename="" run_time="True" name="spamd-white" comment="" ro="False"/>
+      <ObjectGroup id="id10" name="Address Tables" comment="" ro="False">
+        <AddressTable id="id11" filename="" run_time="True" name="mike" comment="" ro="False"/>
+        <AddressTable id="id12" filename="" run_time="True" name="BLOCKTEMP" comment="" ro="False"/>
+        <AddressTable id="id13" filename="./pf_block_permanent" run_time="True" name="BLOCKPERM" comment="" ro="False"/>
+        <AddressTable id="id14" filename="./pf_table" run_time="True" name="BLOCK" comment="" ro="False"/>
+        <AddressTable id="id15" filename="" run_time="True" name="spamd-white" comment="" ro="False"/>
       </ObjectGroup>
-      <ObjectGroup id="id14" name="Groups" comment="" ro="False">
-        <ObjectGroup id="id15" name="private" comment="Created during import of  line 7" ro="False">
-          <ObjectRef ref="id34"/>
-          <ObjectRef ref="id35"/>
-          <ObjectRef ref="id36"/>
+      <ObjectGroup id="id16" name="Groups" comment="" ro="False">
+        <ObjectGroup id="id17" name="private" comment="Created during import of  line 7" ro="False">
+          <ObjectRef ref="id40"/>
+          <ObjectRef ref="id41"/>
+          <ObjectRef ref="id42"/>
         </ObjectGroup>
-        <ObjectGroup id="id19" name="dst_addresses_1" comment="Created during import of  line 9" ro="False">
+        <ObjectGroup id="id21" name="dst_addresses_1" comment="Created during import of  line 9" ro="False">
           <ObjectRef ref="id3"/>
           <ObjectRef ref="id4"/>
-          <ObjectRef ref="id37"/>
+          <ObjectRef ref="id43"/>
         </ObjectGroup>
-        <ObjectGroup id="id23" name="dst_addresses_2" comment="Created during import of  line 10" ro="False">
-          <ObjectRef ref="id57"/>
-          <ObjectRef ref="id58"/>
+        <ObjectGroup id="id25" name="dst_addresses_2" comment="Created during import of  line 10" ro="False">
+          <ObjectRef ref="id76"/>
+          <ObjectRef ref="id77"/>
         </ObjectGroup>
-        <ObjectGroup id="id26" name="dst_addresses_3" comment="Created during import of  line 11" ro="False">
-          <ObjectRef ref="id57"/>
-          <ObjectRef ref="id57"/>
+        <ObjectGroup id="id28" name="dst_addresses_3" comment="Created during import of  line 11" ro="False">
+          <ObjectRef ref="id76"/>
+          <ObjectRef ref="id76"/>
         </ObjectGroup>
-        <ObjectGroup id="id29" name="dst_addresses_4" comment="Created during import of  line 12" ro="False">
+        <ObjectGroup id="id31" name="dst_addresses_4" comment="Created during import of  line 12" ro="False">
+          <ObjectRef ref="id8"/>
+          <ObjectRef ref="id9"/>
+        </ObjectGroup>
+        <ObjectGroup id="id34" name="dst_addresses_5" comment="Created during import of  line 15" ro="False">
+          <ObjectRef ref="id5"/>
           <ObjectRef ref="id6"/>
-          <ObjectRef ref="id7"/>
+          <ObjectRef ref="id44"/>
         </ObjectGroup>
       </ObjectGroup>
-      <ObjectGroup id="id32" name="Hosts" comment="" ro="False"/>
-      <ObjectGroup id="id33" name="Networks" comment="" ro="False">
-        <Network id="id34" name="net-10/255.0.0.0" comment="Created during import of  line 7" ro="False" address="255.192.0.0" netmask="255.0.0.0"/>
-        <Network id="id35" name="net-172.16/255.240.0.0" comment="Created during import of  line 7" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
-        <Network id="id36" name="net-192.168/255.255.0.0" comment="Created during import of  line 7" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
-        <Network id="id37" name="net-192.168.2.0/255.255.255.0" comment="Created during import of  line 9" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+      <ObjectGroup id="id38" name="Hosts" comment="" ro="False"/>
+      <ObjectGroup id="id39" name="Networks" comment="" ro="False">
+        <Network id="id40" name="net-10/255.0.0.0" comment="Created during import of  line 7" ro="False" address="255.192.0.0" netmask="255.0.0.0"/>
+        <Network id="id41" name="net-172.16/255.240.0.0" comment="Created during import of  line 7" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
+        <Network id="id42" name="net-192.168/255.255.0.0" comment="Created during import of  line 7" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
+        <Network id="id43" name="net-192.168.2.0/255.255.255.0" comment="Created during import of  line 9" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+        <Network id="id44" name="net-192.168.20.0/255.255.255.0" comment="Created during import of  line 15" ro="False" address="192.168.20.0" netmask="255.255.255.0"/>
       </ObjectGroup>
-      <ObjectGroup id="id38" name="Address Ranges" comment="" ro="False"/>
+      <ObjectGroup id="id45" name="Address Ranges" comment="" ro="False"/>
     </ObjectGroup>
-    <ServiceGroup id="id39" name="Services" comment="" ro="False">
-      <ServiceGroup id="id40" name="Groups" comment="" ro="False"/>
-      <ServiceGroup id="id41" name="ICMP" comment="" ro="False"/>
-      <ServiceGroup id="id42" name="IP" comment="" ro="False"/>
-      <ServiceGroup id="id43" name="TCP" comment="" ro="False"/>
-      <ServiceGroup id="id44" name="UDP" comment="" ro="False"/>
-      <ServiceGroup id="id45" name="Users" comment="" ro="False"/>
-      <ServiceGroup id="id46" name="Custom" comment="" ro="False"/>
-      <ServiceGroup id="id47" name="TagServices" comment="" ro="False"/>
+    <ServiceGroup id="id46" name="Services" comment="" ro="False">
+      <ServiceGroup id="id47" name="Groups" comment="" ro="False"/>
+      <ServiceGroup id="id48" name="ICMP" comment="" ro="False"/>
+      <ServiceGroup id="id49" name="IP" comment="" ro="False"/>
+      <ServiceGroup id="id50" name="TCP" comment="" ro="False"/>
+      <ServiceGroup id="id51" name="UDP" comment="" ro="False"/>
+      <ServiceGroup id="id52" name="Users" comment="" ro="False"/>
+      <ServiceGroup id="id53" name="Custom" comment="" ro="False"/>
+      <ServiceGroup id="id54" name="TagServices" comment="" ro="False"/>
     </ServiceGroup>
-    <ObjectGroup id="id48" name="Firewalls" comment="" ro="False">
-      <Firewall id="id49" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="test_fw" comment="Created during import of  line 10" ro="False">
-        <NAT id="id53" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+    <ObjectGroup id="id55" name="Firewalls" comment="" ro="False">
+      <Firewall id="id56" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="test_fw" comment="Created during import of  line 10" ro="False">
+        <NAT id="id72" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
-        <Policy id="id51" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+        <Policy id="id58" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id60" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Created during import of  line 18&#10;Address table 'dst_addresses_5' has a mix of negated and non-negated addresses in the original file.">
+            <Src neg="False">
+              <ObjectRef ref="id34"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id79"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="color">#C86E6E</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
           <RuleSetOptions/>
         </Policy>
-        <Routing id="id55" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+        <Routing id="id74" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </Routing>
-        <Interface id="id57" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="Created during import of  line 10" ro="False">
+        <Interface id="id76" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="Created during import of  line 10" ro="False">
+          <InterfaceOptions/>
+          <AttachedNetworks id="id77" name="pcn0-net" comment="" ro="False"/>
+        </Interface>
+        <Interface id="id79" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="em1" comment="Created during import of  line 18" ro="False">
           <InterfaceOptions/>
-          <AttachedNetworks id="id58" name="pcn0-net" comment="" ro="False"/>
         </Interface>
         <FirewallOptions>
           <Option name="check_shading">true</Option>
@@ -522,7 +554,7 @@
         </FirewallOptions>
       </Firewall>
     </ObjectGroup>
-    <ObjectGroup id="id60" name="Clusters" comment="" ro="False"/>
-    <IntervalGroup id="id61" name="Time" comment="" ro="False"/>
+    <ObjectGroup id="id81" name="Clusters" comment="" ro="False"/>
+    <IntervalGroup id="id82" name="Time" comment="" ro="False"/>
   </Library>
 </FWObjectDatabase>
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.output b/src/unit_tests/PFImporterTest/test_data/pf-tables.output
index d935e7866..5a1242668 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.output
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.output
@@ -12,5 +12,8 @@
 10: New interface: pcn0
 11: Address Table: <dst_addresses_3>:  pcn0, pcn0
 12: Address Table: <dst_addresses_4>:  www.fwbuilder.org, www.netcitadel.com
-Could not find enough information in the data file to create any firewall rules.
-
+15: Address Table: <dst_addresses_5>:  192.168.10.1, !192.168.10.2, 192.168.20.0/24
+15: Error: import of table definition with negated addresses is not supported.
+18: New interface: em1
+18: filtering rule: action pass; interfaces: em1
+18: Error: Address table 'dst_addresses_5' has a mix of negated and non-negated addresses in the original file.