What is Rule Routing?
In traditional proxy tools, you're often limited to "Global Proxy" or "Direct." However, modern internet usage is complex: you might need a proxy for Google, direct connection for local news for speed, and a specific private path for work-related services. Automatically choosing a connection path based on destination, IP, or process name is called Rule Routing.
The core value of Clash lies in its powerful and flexible rule engine. With proper rule configuration, you can achieve a "seamless" internet experience: websites automatically choose the fastest path, downloads use high-bandwidth nodes, and streaming traffic routes through region-specific unlocking nodes.
Basic Structure and Matching Logic
In the rules: section of your config.yaml, each line is a rule. The basic format is:
- TYPE,CONDITION,POLICY[,OPTIONS]
For example: - DOMAIN-SUFFIX,google.com,Proxy. This rule means: if the domain of the request ends with google.com, use the policy group named Proxy.
MATCH rule.
Detailed Explanation of Rule Types
To write effective rules, you must understand the supported rule types.
1. Domain Matching
- DOMAIN: Exact match for a domain. Example:
DOMAIN,www.google.com,Proxy. - DOMAIN-SUFFIX: Matches a domain suffix. The most common type. Example:
DOMAIN-SUFFIX,google.com,Proxymatches bothwww.google.comandmail.google.com. - DOMAIN-KEYWORD: Matches a keyword within a domain. Example:
DOMAIN-KEYWORD,google,Proxy.
2. IP Matching
- IP-CIDR: Matches a specific IP range. Example:
IP-CIDR,192.168.1.0/24,DIRECT. - GEOIP: Matches IP by country/region. Example:
GEOIP,US,Proxymatches all known US IP addresses.
3. Other Matching
- SRC-IP-CIDR: Matches based on the source IP of the request. Useful for LAN routing.
- PROCESS-NAME: Matches by the name of the process making the request (supported by some kernels).
- MATCH: A catch-all rule. Usually at the end. Example:
- MATCH,FinalProxy.
Rule Order Matters: First Match Wins
Because of the "first match stops" nature, the order of rules directly determines the routing outcome. A common mistake is placing MATCH,Proxy at the top, which would route all traffic through the proxy and invalidate all subsequent rules.
Recommended Order:
- LAN / Direct Blacklist: e.g.,
localhost,127.0.0.1. - Exact Domain Matches: For specific services that need unique handling.
- Domain Suffix Matches: For the majority of international services.
- IP Routing (including GEOIP): For traffic that cannot be identified by domain.
- Catch-all Rule (MATCH): For everything else.
Advanced: Efficient Management with Rule Providers
If your rule file grows to thousands of lines, it becomes a nightmare to manage. Clash Meta introduces rule-providers, allowing you to reference external rule sets.
rule-providers:
google:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/.../google.yaml"
path: ./ruleset/google.yaml
interval: 86400
rules:
- RULE-SET,google,Proxy
- GEOIP,US,DIRECT
- MATCH,FinalBenefits of Rule Providers:
- Auto-updates: Reference high-quality rule sets maintained by the community. Clash will download updates according to the
interval. - Clean Config: Your main config file stays readable, referencing just a few policy groups and
RULE-SETentries. - Better Performance: The kernel optimizes indexing for these rule sets.
DNS and Rules: The Subtle Relationship
Many people wonder: "Why did I write GEOIP,US,Proxy, but my connection is still slow or failing?"
This often involves DNS Resolution. In Fake-IP mode, Clash immediately returns a fake IP to the browser and resolves the DNS internally. If your DNS is poorly configured—returning a foreign IP for a domestic domain—your GEOIP rules might fail to trigger correctly.
nameserver includes reliable local DNS servers and set up proper fallback logic.
Troubleshooting and Debugging
1. Rule matched but not working?
Check if an earlier rule is intercepting the request. In a Clash dashboard like Yacd or MetaCubeX, the "Connections" tab shows exactly which rule each connection matched. This is the "golden key" for debugging.
2. Why use Domain routing over IP?
Modern internet services (like CDNs) might use the same IP ranges in different countries. Domain-level routing is handled at the application layer and is significantly more precise.
3. Rule Conflicts?
Follow the "more specific first" rule. Example: DOMAIN,test.google.com,DIRECT should come before DOMAIN-SUFFIX,google.com,Proxy.
Practical Case: An Ideal Config Template
Here is a rule configuration snippet based on best practices, balancing performance and precision:
rules:
# 1. LAN / Direct
- DOMAIN-SUFFIX,local,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,172.16.0.0/12,DIRECT
- IP-CIDR,127.0.0.0/8,DIRECT
# 2. Specific Service Routing
- DOMAIN-SUFFIX,apple.com,AppleServices
- DOMAIN-SUFFIX,netflix.com,Streaming
# 3. Rule Sets for broad categories
- RULE-SET,proxy,Proxy
- RULE-SET,gfw,Proxy
# 4. IP Fallback
- GEOIP,US,DIRECT
# 5. Global Catch-all
- MATCH,FinalProxy
With this structure, your network requests are handled precisely: local traffic stays direct for low latency, known international services use the proxy via RULE-SET, and unknown traffic is routed through FinalProxy for guaranteed connectivity.
Rule routing isn't a "set and forget" task. As the network environment changes, updating rule sets and adjusting policy groups is key to maintaining a smooth experience.
We hope this guide helps you build the perfect Clash config. Remember, true freedom comes from precise control over every request.
→ Further Reading:
Conclusion: From Manual Config to Intelligent Routing
Once you master rule routing, Clash becomes more than just a proxy tool—it becomes your private, intelligent network dispatcher. While initial setup requires effort, the resulting seamless experience is unmatched by traditional VPNs.
If you prefer a simpler, more modern experience without tweaking complex YAML files, choosing a client with timely kernel updates and a friendly UI is equally important.