Rules are the heart of a Clash config: every new connection walks the rule list from the first line down, stopping at the first match. Get the rules right and routing mostly takes care of itself.
Syntax
rules:
- TYPE,match-content,outbound
# for example:
- DOMAIN-SUFFIX,youtube.com,Select
- GEOIP,CN,DIRECT
- MATCH,Select
The outbound can be a proxy group name, DIRECT (no proxy) or REJECT (block).
Common rule types
| Type | Matches | Example |
|---|---|---|
DOMAIN | Exact domain | DOMAIN,www.google.com,PROXY |
DOMAIN-SUFFIX | Domain and all subdomains | DOMAIN-SUFFIX,google.com,PROXY |
DOMAIN-KEYWORD | Domain containing keyword | DOMAIN-KEYWORD,google,PROXY |
IP-CIDR | Destination IPv4 range | IP-CIDR,8.8.8.8/32,PROXY |
GEOIP | IP's country | GEOIP,CN,DIRECT |
PROCESS-NAME | Originating process | PROCESS-NAME,Telegram.exe,PROXY |
RULE-SET | External rule set | RULE-SET,ads,REJECT |
MATCH | Everything (fallback) | MATCH,PROXY |
Why order matters
Consider these two rules:
- DOMAIN-SUFFIX,cn.example.com,DIRECT
- DOMAIN-SUFFIX,example.com,PROXY
As written, cn.example.com goes direct and everything else on example.com is proxied. Swap them and the broader rule swallows everything first - the second line never fires. Principle: specific rules first, broad rules later.
The MATCH fallback
The list should end with exactly one MATCH rule handling whatever nothing else matched (without it, unmatched traffic goes direct). Pointing MATCH at a proxy group ("unknown → proxy") versus DIRECT ("unknown → direct") is the difference between a whitelist and a blacklist strategy.