diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 2814683..2f16485 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -291,17 +291,56 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re
 	return 1;
 }
 
-static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num)
+static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num, char *domain, int domain_len, int thread_seq)
 {
-	int i=0;
+	int i=0,ret=0;
 	Maat_rule_t *p_result=NULL;
+	Maat_rule_t q_result;
+	scan_status_t mid=NULL;
+	
 	if(result==NULL || result_num<=0)
 	{
 		return NULL;
 	}
-	
+
+	ret=Maat_rule_sort_by_evaluation_order(g_tsg_maat_feather, result, result_num);
+	if(ret!=result_num)
+	{
+		return NULL;
+	}
+
 	p_result=&result[0];
 	
+	if(p_result->action==TSG_ACTION_INTERCEPT && domain!=NULL && domain_len>0)
+	{
+		ret=Maat_full_scan_string(g_tsg_maat_feather,
+									g_tsg_para.table_id[TABLE_EXCLUSION_SSL_SNI],
+									CHARSET_UTF8,
+									domain,
+									domain_len,
+									&q_result,
+									NULL,
+									1,
+									&mid,
+									thread_seq);
+		if(ret>0)
+		{
+			p_result=NULL;
+			for(i=1; i<result_num; i++)
+			{
+				if(p_result->action==TSG_ACTION_INTERCEPT)
+				{
+					continue;
+				}
+				p_result=&result[i];
+			}
+		}
+	}
+	
+	return 	p_result;
+	
+	p_result=&result[0];
+
 	for(i=1; i<result_num; i++)
 	{
 		if((unsigned char)result[i].action>(unsigned char)p_result->action)
@@ -467,7 +506,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
 			if(ret>0)
 			{
 				hit_num+=ret;
-				q_result=tsg_policy_decision_criteria(all_result, hit_num);
+				q_result=tsg_policy_decision_criteria(all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
 				FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);		
 			}
 			
@@ -510,7 +549,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
 				mid=NULL;
 			}
 			
-			p_result=tsg_policy_decision_criteria(all_result, hit_num);
+			p_result=tsg_policy_decision_criteria(all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
 			
 			if(p_result!=NULL)
 			{
@@ -651,7 +690,7 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
 				Maat_clean_status(&mid);
 				mid=NULL;
 			}
-			p_result=tsg_policy_decision_criteria(result, ret);
+			p_result=tsg_policy_decision_criteria(result, ret, identify_info.domain, identify_info.domain_len, thread_seq);
 			if(p_result!=NULL)
 			{
 				switch((unsigned char)p_result->action)
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index 72f4b12..c0e6ff8 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -16,6 +16,7 @@ enum MASTER_TABLE{
 	TABLE_APP_ID,
 	TABLE_HTTP_HOST,
 	TABLE_SSL_SNI,
+	TABLE_EXCLUSION_SSL_SNI,
 	TABLE_MAX
 };
 
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index 54da7d1..7923082 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -216,11 +216,12 @@ int tsg_rule_init(const char* conffile, void *logger)
 	char cb_subscriber_ip_table[32]={0};
 	
 	MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat_profile.conf");	
-	MESA_load_profile_string_def(conffile, "MAAT", "IP_ADDR_TABLE", g_tsg_para.table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "TSG_OBJ_IP_ADDR");
+	MESA_load_profile_string_def(conffile, "MAAT", "IP_ADDR_TABLE", g_tsg_para.table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_ADDR");
 	MESA_load_profile_string_def(conffile, "MAAT", "SUBSCRIBER_ID_TABLE", g_tsg_para.table_name[TABLE_SUBSCRIBER_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_SUBSCRIBER_ID");
 	MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_TABLE", g_tsg_para.table_name[TABLE_APP_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_APP_ID");
 	MESA_load_profile_string_def(conffile, "MAAT", "HTTP_HOST_TABLE", g_tsg_para.table_name[TABLE_HTTP_HOST], _MAX_TABLE_NAME_LEN, "TSG_FIELD_HTTP_HOST");
 	MESA_load_profile_string_def(conffile, "MAAT", "SSL_SNI_TABLE", g_tsg_para.table_name[TABLE_SSL_SNI], _MAX_TABLE_NAME_LEN, "TSG_FIELD_SSL_SNI");
+	MESA_load_profile_string_def(conffile, "MAAT", "DECYPTION_EXCLUSION_SSL_SNI", g_tsg_para.table_name[TABLE_EXCLUSION_SSL_SNI], _MAX_TABLE_NAME_LEN, "TSG_DECYPTION_EXCLUSION_SSL_SNI");
 
 	//init dynamic maat feather
 	g_tsg_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_STATIC", (char *)"STATIC", logger);