Clash Rules Run in Wrong Order? Fix MATCH, GEOIP, and Priority Mistakes Step by Step

Why Rules Feel Ignored: First Match Wins

Clash evaluates the rules section from top to bottom. The first line whose condition matches the current connection decides the outcome; nothing below runs for that packet. That single fact explains half of Reddit threads titled “my DOMAIN rule does nothing.” Symptom templates repeat everywhere: you append DOMAIN-SUFFIX,example.com,PROXY near the bottom of a fifty-line remote bundle, yet traffic still hits DIRECT because an earlier RULESET, GEOIP, or broad DOMAIN-KEYWORD already matched. Before touching subscriptions, align mental models with how curated stacks layer matchers—see Clash rules routing best practices for DOMAIN versus RULESET versus providers. Precision beats cargo-cult ordering copied from screenshots.

Imported profiles often merge remote lists ahead of user snippets; GUIs sometimes prepend subscription-provided fragments automatically. Treat anything inserted above your edits as hostile until proven otherwise: collapse duplicates, narrow wildcard keywords that swallow CDNs you forgot existed, and trim oversized RULESET subscriptions whose tags hide aggressive defaults. Logging clarifies winners faster than intuition—raise verbosity briefly (respect privacy), reload, reproduce once, note which rule identifier the core prints before chasing GEOIP guilt.

MATCH Must Sit Last (Usually)

The special matcher MATCH matches every outstanding connection not captured earlier—exactly once per evaluation path—so it behaves like a catch-all FINAL fork-specific synonym depending on core revision. When MATCH sits anywhere except after every narrower rule, every line beneath becomes unreachable legacy clutter that never executes. Typical symptom stack: MATCH forwarded everything to “proxy group” thirty lines above your painstaking DIRECT exceptions; moving MATCH to the genuine tail restores predictable splits.

Multiple MATCH statements rarely help unless profiles explicitly stitch fragments—duplicate FINAL semantics confuse newcomers—prefer one decisive MATCH paired with ordered specificity above it. Document inline YAML comments sparingly yet honestly (“keep MATCH last”) so future-you avoids merging mixin overlays that prepend MATCH via automation scripts.

DOMAIN, GEOIP, IP-CIDR—Who Goes First?

Conceptually: hostname-centric matchers (DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD, GEOSITE, remote RULESET bodies resolving domains) compete strictly by list position—not magical priority tiers baked into keywords alone. Once resolution yields outbound IPs, rules keyed on addresses (IP-CIDR, GEOIP, ASN-oriented fork extensions) evaluate against those IPs—still obeying global order inside your YAML after expansion.

Practical takeaway for troubleshooting: if your symptom involves wrong geography (GEOIP picks CN despite expectation), verify nothing earlier hijacked that flow via domain lists first; then verify GEOIP sees the IP your resolver produced—not an ephemeral fake-ip placeholder—and confirm your IP-CIDR anchors appear before GEOIP when you intentionally pin subnets regardless of national tagging.

Large subscription RULESET blobs commonly bundle tens of thousands of domains ahead of GEOIP CN/DIRECT shortcuts—fine until one obscure CDN overlaps your corner case; reorder surgically instead of nuking entire vendor packs unless maintenance burden warrants regeneration.

GEOIP “Wrong Country” vs DNS and Fake-IP

GEOIP compares resolved destinations against your local MaxMind-compatible database—not psychic omniscience about moral geography—so stale data skews verdicts alongside mistaken assumptions about ordering. When mainland destinations egress overseas despite proper GEOIP,Cn,DIRECT ordering above MATCH, renew geography databases before rewriting YAML; walkthrough paths appear in Clash GEOIP mmdb and geosite refresh guidance.

Separate bucket: DNS answers disagree with reality—fake-ip pools synthesize ephemeral ranges until sniffing resolves canonical IPs; inconsistent resolver layering mirrors fake LAN breakage documented in Fake-IP LAN and router bypass notes. Until DNS sections align (nameserver, fallback, fake-ip-filter), GEOIP inspects ghosts—priority tweaks alone fail. Align stacks methodically via Clash Meta DNS nameserver and fake-ip-filter setup.

IPv6 dual-stack deployments amplify mismatch symptoms without touching GEOIP binaries—parallel verification belongs beside routing tweaks whenever AAAA paths diverge from A-record assumptions.

Policy Groups Versus Rules

Rules decide which policy group name handles traffic—never confuse that stage with picking nodes inside the group. An url-test selector stuck on the wrong upstream explains latency puzzles orthogonal to GEOIP misses; yet beginners mash policy knobs while YAML order stays frozen. Cross-check selectors using Clash policy groups url-test and fallback tuning once routing logs prove rules themselves behave sensibly.

Nested proxies or chained outbound stacks compound surprises—failure fallback triggers hide beneath serene RULE lines until latency probes flap.

RULESET Providers and Silent Precedence

Remote RULESET rules hydrate from URLs into local caches—often SQLite shards managed by Mihomo-compatible cores—yet after expansion they occupy ordinary slots inside your effective rule stack exactly where the subscription author positioned tag references. Translators importing commercial bundles rarely scroll thousands of invisible DOMAIN rows inserted ahead of personal tweaks; consequently GEOIP shortcuts nested deep inside vendor YAML never engage because vendor RULESET fragments merged earlier steal priority wholesale.

Mitigations vary by ambition: fork providers downward beneath exceptions only after verifying automation pipelines regenerate cleanly; alternatively duplicate narrowly scoped overrides (DOMAIN-SUFFIX entries targeting antagonistic CDN apex domains) ahead of massive RULESET spans knowing maintenance burden rises proportionally; lastly prune obsolete RULESET categories whose benign-looking gaming lists inadvertently swallowed productivity SaaS APIs sharing commodity edges.

Version bumps reshuffle upstream ordering silently—subscription refresh Mondays rearrange collisions without touching your git-tracked mixin fragments unless hashes drift observably—always snapshot textual exports post-upgrade comparing MATCH proximity borders whenever unexplained regressions emerge alongside changelog bullets referencing “optimize domestic CDN lists.”

Lightweight experimentation toggles RULESET participation entirely momentarily isolating guilt—restore promptly afterward respecting licensing obligations bundled alongside upstream manifests prohibiting redistribution stripped-down excerpts commercially.

Step-by-Step Reorder and Verification

Execute reproducibly:

1. Dump effective rule order. Export merged YAML after mixin overlays resolve—GUIs hide appended fragments unless flattened.
2. Locate MATCH/FINAL analogues. Ensure exactly one definitive tail catcher sits physically below narrower matchers.
3. Sweep superseding RULESET imports. Temporarily disable suspicious providers or hoist surgeon-grade exceptions above them.
4. Insert surgical exceptions. Move tightly scoped DOMAIN/IP-CIDR entries ahead of coarse GEOIP buckets affecting identical flows.
5. Reload core. Apply profiles cleanly—avoid stale caches referencing outdated RULESET SQLite shards.
6. Confirm via logs. Repeat targeted fetch; trace matched rule tokens comparing expectation versus observed policy groups.

When logs expose handshake failures masquerading as routing puzzles, pivot diagnostics toward transport—not sequencing—via Clash connection logs timeout and TLS troubleshooting.

Maintain plaintext changelog snippets beside YAML noting reorder rationales (“2026-04-29 moved GEOIP CN below CDN RULESET fork collision”), shrinking regression surprises during automated merges.

When IP-CIDR Overrides GEOIP Intuition

Operators frequently paste corporate IP-CIDR carve-outs (10.0.0.0/8, split-tunnel VPN ranges, RFC1918 overlaps) expecting unconditional DIRECT routing regardless of geography labeling elsewhere. Placement matters here too: any broader proxy RULESET catching CDN overlap ahead of those lines resurrects mysteries disguised as GEOIP betrayal despite impeccable CN tagging intentions downstream.

Conversely pinning multinational hyperscaler subnets inside narrow IP-CIDR directives forces deterministic pathways—yet stale CIDR spreadsheets drift weekly while BGP reshuffles announcements—schedule recurring audits merging traceroute snapshots verifying anchors remain truthful lest rigid precedence traps flows worse than GEOIP ambiguity produced organically.

GEOSITE Bundles Versus Handmade DOMAIN Lines

Community GEOSITE categories consolidate sprawling hostname inventories—streaming vendors, trackers, advertisement ecosystems—often exceeding tens of megabytes serialized. Embedding those blobs ahead of succinct DOMAIN exceptions duplicates RULESET collisions mechanically unless fork packaging deliberately separates user customization zones beneath curated tiers.

Graphic surfaces presenting checkbox forests seldom visualize concatenated precedence faithfully—flatten YAML mentally enumerating insertion indices whenever toggling macro bundles lest dormant MATCH tails relocate unintentionally.

Hybrid deployments chaining DNS filtering appliances upstream compound ambiguity—queries answered differently outside Clash bypass tunnel semantics entirely—cross-verify authoritative resolver outputs independently whenever GEOIP verdict contradicts traceroute hops visibly divergent despite superficial YAML innocence.

Smoke-testing methodology deserves ritual discipline: capture baseline curl timings across representative endpoints spanning domestic portals, multinational SaaS tiers, UDP-heavy VoIP codecs—differences emerge subtly because QUIC multiplexing masks naive TCP-centric assumptions analysts anchored historically.

Documentation hygiene pays dividends embedding hyperlink anchors referencing upstream vendor ticket identifiers whenever escalating anomalies externally—operators downstream reconstruct timelines faster aligning telemetry breadcrumbs collaboratively instead rehearsing anecdotal folklore verbally alone.

Closing Note

Complaints that Clash ignores handwritten rules usually distill into sequencing oversight—MATCH misplaced, RULESET giants overshadowing bespoke lines—or GEOIP judgments poisoned by DNS fakery plus outdated geography blobs rather than mystical compiler bugs. Attack ordering analytically: freeze assumptions, instrument logs briefly, reorder narrowly, reload deliberately. Compared with endlessly swapping aircraft-grade subscription URLs hoping vibes improve, disciplined precedence edits repay attention immediately.

When transparent kernels reroute entire stacks—think tun overlays versus conventional listeners—alignment chores multiply yet precedence fundamentals persist unchanged underneath.

Stable routing stacks deserve tooling that exposes merged precedence plainly rather than burying MATCH fifteen modal dialogs deep—grab builds tuned for readability alongside diagnostics.

Compared with brittle hacks chained atop brittle hacks, verifying sequence plus geography assets yields cleaner splits without sacrificing lawful transparency.

Continue iterating responsibly only within environments where policy permits inspection.

→ Download Clash for free and experience the difference through our centralized hub—surface merged rule order and reload cycles without chasing stray GitHub tarballs for everyday installs.