If nodes are Clash's limbs, rules are its brain. The same node list can feel smooth or awkward depending on how rules are written. This article avoids jargon overload and explains how matching works, then gives you a pattern you can reuse.
How Does Rule Matching Work?
Remember one line: rules match top to bottom; the first hit wins. Clash takes the destination of the current connection and compares it against each rule in order. When one matches, it executes that rule's policy and ignores the rest.
That implies something important: order is everything. Put more specific rules first and broader ones later—or a wide rule will match early and block specific rules below. That is the most common beginner trap.
What Does a Rule Look Like?
Each rule follows type,match value,policy. For example, DOMAIN-SUFFIX,google.com,PROXY means: any domain ending in google.com goes to the policy group named PROXY. The policy can be a group, a single node, or built-ins like DIRECT (direct) or REJECT (block).
Common Rule Types at a Glance
| Type | Description | Example |
|---|---|---|
DOMAIN | Exact full domain match | DOMAIN,www.google.com,PROXY |
DOMAIN-SUFFIX | Domain suffix match (most common) | DOMAIN-SUFFIX,google.com,PROXY |
DOMAIN-KEYWORD | Domain contains keyword | DOMAIN-KEYWORD,google,PROXY |
IP-CIDR | IP range match | IP-CIDR,192.168.0.0/16,DIRECT |
GEOIP | Match IP by country/region | GEOIP,CN,DIRECT |
PROCESS-NAME | Match by process name | PROCESS-NAME,Telegram,PROXY |
MATCH | Catch-all for remaining traffic | MATCH,PROXY |
DOMAIN-SUFFIX is used most often because one rule can cover all subdomains. MATCH is the catch-all—always put it last—for anything earlier rules missed.
A Classic Rule Order
In practice, organize rules from private to public, specific to broad:
- LAN and private addresses: use
IP-CIDRto direct local ranges—avoid proxying local devices; - Domains to block: ads and trackers with
REJECT; - Services that must use proxy: overseas services via
DOMAIN-SUFFIX; - Services that must stay direct: domestic sites via
DOMAIN-SUFFIX; - Geographic fallback:
GEOIP,CN,DIRECTfor remaining domestic IPs; - Final catch-all:
MATCHsends everything else to proxy.
rules: - IP-CIDR,192.168.0.0/16,DIRECT - DOMAIN-KEYWORD,ad,REJECT - DOMAIN-SUFFIX,google.com,PROXY - DOMAIN-SUFFIX,bilibili.com,DIRECT - GEOIP,CN,DIRECT - MATCH,PROXY
Rule Providers: A Lower-Maintenance Approach
Hand-writing hundreds of rules is tedious. Community rule providers (rule-providers) pack large rule sets into remotely updatable files—you reference them and refresh on a schedule. Pull in sets like "domestic domains" and "ad block lists," wire them with a few routing rules, and your config stays clean and easier to maintain.
Small Tips for Debugging Rules
- Use logs: raise log level to see which rule each connection hit—very helpful;
- Compare with global mode: if a site fails in rule mode but works globally, it is likely a rule issue;
- Reload after edits: most clients hot-reload; change a line, reload, no restart needed.
REJECT and Ad Blocking
Besides direct and proxy, REJECT drops the connection. It is commonly used for ads and trackers: when an ad domain hits REJECT, the request is cut off and the slot never loads—cleaner pages and less bandwidth. Pair it with community ad-domain rule sets for a strong effect.
Rules and Policy Groups Together
Rules often point at a policy group name, not a single node. That decouples routing from node choice: rules answer "which group handles this traffic," and you pick the active node in the UI. Example: create a "Streaming" group, point streaming rules at it, and switch all streaming traffic by changing one group—not every rule line.
Common Beginner Mistakes
The classic error is reversed order—putting GEOIP,CN,DIRECT or MATCH above a specific proxy rule so broad traffic matches first and the specific rule never runs ("I wrote the rule but nothing happens"). Remember: specific first, catch-all last. Another frequent issue is YAML indentation; one extra or missing space can break the whole config.
Summary
Rules boil down to: order first, specific wins. Build the skeleton—private → reject → proxy → direct → catch-all—then fill details with rule providers for precise, maintainable routing. For full type reference, see Documentation · Rule Types Reference.
Rules are not hard once the model clicks; the work is tuning them to your habits. Start from a solid template, then adjust when you notice "should proxy but went direct" or the reverse. Rules are the best time investment in Clash—get them right and they pay off for years.