How Clash Rules Work and Why Order Matters

When Clash runs in Rule mode, every outbound connection is classified by an ordered list in your profile YAML under rules:. The kernel inspects metadata—hostname from SNI or HTTP Host, destination IP, port, process name on supported platforms—and compares it against each line until one rule matches. First match wins; everything below is ignored for that connection.

That design is what makes split routing possible: send Netflix and GitHub through a proxy group, keep your bank and local streaming direct, and reject malware domains entirely—all in one config. Misunderstanding priority is the number-one reason users see "domestic sites are slow" or "foreign sites never load": a broad rule placed too high shadows the exceptions below it.

Rule mode vs Global vs Direct: In Global mode every connection uses the selected proxy group regardless of rules. Direct bypasses proxies entirely. Only Rule mode evaluates the rules: array—where DOMAIN, GEOIP, and MATCH actually matter.

Each rule line follows the pattern TYPE,argument,policy. The policy is either a built-in action (DIRECT, REJECT, REJECT-DROP, PASS in some builds) or the name of a proxy group defined under proxy-groups:—for example Proxy, Auto, or HK-Select. If the policy names a group that does not exist, the profile fails to load.

Concept Meaning
First match Evaluation stops at the first matching rule; lower rules are never checked.
Policy Where traffic goes: DIRECT, REJECT, or a proxy group name.
Rule providers External lists merged at runtime—still subject to position in the overall order.
MATCH Catch-all with no filter; must appear last or nothing below it runs.

DOMAIN Rules: Exact, Suffix, and Keyword Matching

Domain rules are the most readable way to steer well-known services. They run early in most configs because hostname data is cheap to evaluate and precise to tune—before Clash falls back to IP-based GEOIP lookups.

DOMAIN — exact hostname match

Syntax: DOMAIN,hostname,policy. Only the exact host matches. DOMAIN,www.example.com,DIRECT hits www.example.com but not api.example.com or example.com. 

rules:
  - DOMAIN,localhost,DIRECT
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,updates.example.com,Proxy

Use DOMAIN when you need surgical control—a single CDN host, one OAuth endpoint, or a telemetry domain that should not inherit a broader suffix rule.

DOMAIN-SUFFIX — domain and all subdomains

Syntax: DOMAIN-SUFFIX,suffix,policy. A leading dot is optional; google.com and .google.com behave the same. DOMAIN-SUFFIX,google.com,Proxy matches www.google.com, mail.google.com, and google.com itself. 

rules:
  - DOMAIN-SUFFIX,apple.com,DIRECT
  - DOMAIN-SUFFIX,microsoft.com,DIRECT
  - DOMAIN-SUFFIX,github.com,Proxy
  - DOMAIN-SUFFIX,githubusercontent.com,Proxy
Suffix trap: DOMAIN-SUFFIX,com,Proxy would match almost every .com site on the internet. Keep suffixes at meaningful registrable domains—office.com, not com.

DOMAIN-KEYWORD — substring match

Syntax: DOMAIN-KEYWORD,keyword,policy. Matches if the hostname contains the keyword anywhere. DOMAIN-KEYWORD,google,Proxy catches google.com, googleapis.com, and even notgoogle.com—which may be unintended.

Keyword rules are legacy-friendly for messy blocklists but easy to over-match. Prefer DOMAIN-SUFFIX for services you trust; reserve KEYWORD for provider-supplied anti-ad rules where false positives are acceptable.

DOMAIN-REGEX (Mihomo)

Mihomo adds DOMAIN-REGEX,pattern,policy for regular-expression hostname matching. Powerful for internal tooling, but harder to audit than suffix lists. Escape dots and test carefully—an overly broad regex at the top of your list can hijack traffic meant for GEOIP rules below.

Provider subscriptions often ship rule-providers with thousands of DOMAIN-SUFFIX lines for ads and trackers. Reference them with RULE-SET,provider-name,policy and place that block after your personal DIRECT exceptions but before GEOIP—otherwise a GEOIP,CN,DIRECT line above the ad list sends tracker domains direct.

GEOIP Rules: Route by Destination Country

Syntax: GEOIP,country-code,policy. Clash resolves the connection's destination IP against a GeoIP database (MaxMind-style country codes) and applies the policy when the IP belongs to that country. GEOIP,CN,DIRECT is the classic split-tunnel pattern for users in China: domestic IPs skip the proxy; everything else can fall through to a foreign proxy group. 

rules:
  - DOMAIN-SUFFIX,cn,DIRECT
  - DOMAIN-SUFFIX,126.com,DIRECT
  - GEOIP,CN,DIRECT
  - GEOIP,US,Proxy
  - MATCH,Proxy

GEOIP evaluates IP addresses, not domain names. A .cn domain hosted on a foreign CDN may geolocate outside CN until DNS resolves; conversely, a .com site on a domestic IP matches GEOIP,CN. That is why experienced configs combine DOMAIN-SUFFIX exceptions above GEOIP lines—domains you know should stay direct regardless of where the CDN edge sits today.

GEOIP,lan and private ranges

GEOIP,LAN,DIRECT (or explicit IP-CIDR private blocks) keeps RFC 1918 addresses—192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12—off the proxy. Without it, LAN printer traffic or NAS access can loop through a remote node and fail silently.

Database updates

Mihomo bundles or downloads GeoIP data depending on build. Stale databases mislabel CDN shifts after major peering changes. If a domestic service suddenly proxies, check whether its IPs moved abroad before blaming nodes. Some advanced profiles use GEOSITE rules (domain lists by category, e.g. GEOSITE,youtube,Proxy) alongside GEOIP—GEOSITE matches names; GEOIP matches resolved IPs.

Rule type Matches on Typical use
DOMAIN / SUFFIX / KEYWORD Hostname (SNI / Host header) Named services, ads, allowlists
GEOIP Destination IP country Bulk split: CN direct, others proxy
GEOSITE Curated domain lists Category blocks (youtube, cn, etc.)
IP-CIDR Explicit CIDR ranges LAN, datacenter, custom IP lists

IP-CIDR, Ports, and Process Rules

Not every decision is domain-shaped. Games, raw IP APIs, and local Docker services often connect by address. IP-CIDR,192.168.0.0/16,DIRECT and IP-CIDR6,fe80::/10,DIRECT pin private IPv4 and link-local IPv6 traffic direct. Append ,no-resolve when the rule should match the literal IP in the socket without triggering a DNS lookup—useful for rules that must run before Clash resolves a name. 

rules:
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
  - DST-PORT,22,DIRECT

DST-PORT,port,policy filters by destination port—common for forcing SSH (22) direct while still proxying browsers. On Windows and macOS with enhanced builds, PROCESS-NAME,App.exe,Proxy routes a specific executable regardless of domain, which pairs well with TUN mode when a game ignores system proxy settings. See our game acceleration and TUN guide for process-level routing in practice.

MATCH: The Mandatory Catch-All

Syntax: MATCH,policy—no filter argument. Every connection that survived the list above lands here. A profile without MATCH leaves unmatched traffic in an undefined state; Mihomo typically treats unmatched flows as DIRECT, but relying on implicit behavior is fragile across clients and versions. 

rules:
  # ... domain, GEOIP, and IP rules above ...
  - MATCH,Proxy

Two popular closing strategies:

  • Foreign-default: GEOIP,CN,DIRECT then MATCH,Proxy—domestic IPs direct, rest through proxy. Common in CN split-tunnel configs.
  • Direct-default: MATCH,DIRECT after explicit DOMAIN-SUFFIX lines for sites that need proxy—only listed foreign services tunnel; everything else stays local. Safer on metered or restrictive networks when the proxy list is small.
Never put MATCH first. MATCH,Proxy as line one sends 100% of traffic through the proxy group; every DOMAIN and GEOIP rule below becomes dead code. Always audit the bottom of merged configs after subscription updates—providers sometimes prepend their own MATCH.

Building a Practical Split-Routing Ruleset

Below is a minimal but production-shaped template you can adapt in Clash Verge Rev's YAML editor. Replace Proxy with your main select group name. Order is intentional: localhost and LAN first, personal exceptions, provider rule-sets, country GEOIP, then MATCH. 

proxy-groups:
  - name: Proxy
    type: select
    proxies:
      - Auto
      - DIRECT
      - HK-Node
      - US-Node
  - name: Auto
    type: url-test
    url: http://www.gstatic.com/generate_204
    interval: 300
    proxies:
      - HK-Node
      - US-Node

rules:
  - DOMAIN,localhost,DIRECT
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
  - GEOIP,LAN,DIRECT
  - DOMAIN-SUFFIX,office.com,DIRECT
  - DOMAIN-SUFFIX,windows.com,DIRECT
  - DOMAIN-SUFFIX,github.com,Proxy
  - DOMAIN-SUFFIX,githubusercontent.com,Proxy
  - DOMAIN-SUFFIX,google.com,Proxy
  - DOMAIN-SUFFIX,youtube.com,Proxy
  - RULE-SET,reject,REJECT
  - GEOSITE,cn,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

Debugging checklist

  1. Confirm Rule mode in the client—not Global.
  2. Enable connection logs (Verge → Logs) and read which rule matched (rule field in Mihomo logs).
  3. Temporarily move a suspect DOMAIN rule upward to test priority without rewriting the whole file.
  4. DNS matters: fake-ip and redir-host modes change when GEOIP sees an IP. Align dns: settings with your rule strategy—covered in our complete Clash setup guide.
  5. After subscription refresh, verify providers did not inject a duplicate MATCH or reorder your custom prepend-rules.
Clash Verge Rev supports prepend-rules and append-rules in profile metadata so personal exceptions survive subscription updates without editing the provider blob each time—ideal for three DOMAIN-SUFFIX lines you never want overwritten.

Frequently Asked Questions

Why does a site proxy when GEOIP,CN,DIRECT is enabled?

Either a DOMAIN or DOMAIN-SUFFIX rule above GEOIP sends it to Proxy, the site resolves to a non-CN IP, or DNS fake-ip returns an address that GEOIP classifies abroad. Check logs for the matching rule name and test with a real DNS lookup on the hostname.

Can I use multiple GEOIP lines?

Yes. GEOIP,CN,DIRECT followed by GEOIP,US,Proxy handles two buckets; anything not CN or US falls through to MATCH. Order still matters—the first country match wins, so place narrower exceptions before broad ones.

What is the difference between REJECT and REJECT-DROP?

REJECT actively refuses the connection (often ICMP or TCP RST depending on platform). REJECT-DROP silently drops packets—useful for ad domains where you do not want the app to retry a fallback. Both appear in ad-blocking rule-sets.

Do rules work in TUN mode?

Yes. TUN captures packets earlier; the same rules: list classifies flows once Clash reconstructs the destination. Process and GEOIP rules become especially important when TUN is on because more apps bypass traditional system proxy settings.

Browser-only proxy extensions and single-app VPNs cannot express a ordered policy list across your entire system—they tunnel one browser profile or one app at a time with no GEOIP awareness. Plain remote-desktop "global VPN" products send domestic banking and video through overseas servers by default, adding latency and trigger-happy fraud detection. Clash's rule engine sits in the middle: human-readable YAML, first-match semantics you control, and the same config from phone to router. Mihomo extends the vocabulary (GEOSITE, DOMAIN-REGEX, PROCESS-NAME) without breaking classic DOMAIN / GEOIP / MATCH workflows millions of users already rely on.

Download Clash free for every platform →