github.com/igoogolx/clash@v1.19.8/docs/configuration/rules.md

github.com/igoogolx/clash@v1.19.8/docs/configuration/rules.md (about)

     1  ---
     2  sidebarTitle: Rules
     3  sidebarOrder: 5
     4  ---
     5  
     6  # Rules
     7  
     8  In the Getting Started guide, we covered the basics of rule-based matching in Clash. In this chapter, we'll cover all available rule types in the latest version of Clash.
     9  
    10  ```txt
    11  TYPE,ARGUMENT,POLICY(,no-resolve)
    12  ```
    13  
    14  The `no-resolve` option is optional, and it's used to skip DNS resolution for the rule. It's useful when you want to use `GEOIP`, `IP-CIDR`, `IP-CIDR6`, `SCRIPT` rules, but don't want to resolve the domain name to an IP address just yet.
    15  
    16  [[toc]]
    17  
    18  ## Policy
    19  
    20  There are four types of POLICY for now, in which:
    21  
    22  - DIRECT: directly connects to the target through `interface-name` (does not lookup system route table)
    23  - REJECT: drops the packet
    24  - Proxy: routes the packet to the specified proxy server
    25  - Proxy Group: routes the packet to the specified proxy group
    26  
    27  ## Types of rules
    28  
    29  There are a number of rules where one might find useful. The following section covers each rule type and how they should be used.
    30  
    31  ### DOMAIN
    32  
    33  `DOMAIN,www.google.com,policy` routes only `www.google.com` to `policy`.
    34  
    35  ### DOMAIN-SUFFIX
    36  
    37  `DOMAIN-SUFFIX,youtube.com,policy` routes any domain names that ends with `youtube.com`.
    38  
    39  In this case, `www.youtube.com` and `foo.bar.youtube.com` will be routed to `policy`.
    40  
    41  ### DOMAIN-KEYWORD
    42  
    43  `DOMAIN-KEYWORD,google,policy` routes any domain names to policy that contains `google`.
    44  
    45  In this case, `www.google.com` or `googleapis.com` are routed to `policy`.
    46  
    47  ### GEOIP
    48  
    49  GEOIP rules are used to route packets based on the **country code** of the target IP address. Clash uses [MaxMind GeoLite2](https://dev.maxmind.com/geoip/geoip2/geolite2/) database for this feature.
    50  
    51  ::: warning
    52  When encountering this rule, Clash will resolve the domain name to an IP address and then look up the country code of the IP address. If you want to skip the DNS resolution, use `no-resolve` option.
    53  :::
    54  
    55  `GEOIP,CN,policy` routes any packets destined to a China IP address to `policy`.
    56  
    57  ### IP-CIDR
    58  
    59  IP-CIDR rules are used to route packets based on the **destination IPv4 address** of the packet.
    60  
    61  ::: warning
    62  When encountering this rule, Clash will resolve the domain name to an IP address. If you want to skip the DNS resolution, use `no-resolve` option.
    63  :::
    64  
    65  `IP-CIDR,127.0.0.0/8,DIRECT` routes any packets destined to `127.0.0.0/8` to the `DIRECT` outbound.
    66  
    67  ### IP-CIDR6
    68  
    69  IP-CIDR6 rules are used to route packets based on the **destination IPv6 address** of the packet.
    70  
    71  ::: warning
    72  When encountering this rule, Clash will resolve the domain name to an IP address. If you want to skip the DNS resolution, use `no-resolve` option.
    73  :::
    74  
    75  `IP-CIDR6,2620:0:2d0:200::7/32,policy` routes any packets destined to `2620:0:2d0:200::7/32` to `policy`.
    76  
    77  ### SRC-IP-CIDR
    78  
    79  SRC-IP-CIDR rules are used to route packets based on the **source IPv4 address** of the packet.
    80  
    81  `SRC-IP-CIDR,192.168.1.201/32,DIRECT` routes any packets **from** `192.168.1.201/32` to the `DIRECT` policy.
    82  
    83  ### SRC-PORT
    84  
    85  SRC-PORT rules are used to route packets based on the **source port** of the packet.
    86  
    87  `SRC-PORT,80,policy` routes any packets **from** the port 80 to `policy`.
    88  
    89  ### DST-PORT
    90  
    91  DST-PORT rules are used to route packets based on the **destination port** of the packet.
    92  
    93  `DST-PORT,80,policy` routes any packets **to** the port 80 to `policy`.
    94  
    95  ### PROCESS-NAME
    96  
    97  PROCESS-NAME rules are used to route packets based on the name of process that is sending the packet.
    98  
    99  ::: warning
   100  Currently, only macOS, Linux, FreeBSD and Windows are supported.
   101  :::
   102  
   103  `PROCESS-NAME,nc,DIRECT` routes all packets from the process `nc` to the `DIRECT` outbound.
   104  
   105  ### PROCESS-PATH
   106  
   107  PROCESS-PATH rules are used to route packets based on the PATH of process that is sending the packet.
   108  
   109  ::: warning
   110  Currently, only macOS, Linux, FreeBSD and Windows are supported.
   111  :::
   112  
   113  `PROCESS-PATH,/bin/sh,DIRECT` routes all packets from the process `/bin/sh` to the `DIRECT` outbound.
   114  
   115  ### IPSET
   116  
   117  IPSET rules are used to match against an IP set and route packets based on the result. According to the [official website of IPSET](https://ipset.netfilter.org/):
   118  
   119  > IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
   120  
   121  Therefore, this feature only works on Linux and requires `ipset` to be installed.
   122  
   123  ::: warning
   124  When encountering this rule, Clash will resolve the domain name to an IP address. If you want to skip the DNS resolution, use `no-resolve` option.
   125  :::
   126  
   127  `IPSET,chinaip,DIRECT` routes all packets with destination IPs matching the `chinaip` IPSET to DIRECT outbound.
   128  
   129  ### RULE-SET
   130  
   131  ::: info
   132  This feature is only available in the [Premium](/premium/introduction) edtion.
   133  :::
   134  
   135  RULE-SET rules are used to route packets based on the result of a [rule provider](/premium/rule-providers). When Clash encounters this rule, it loads the rules from the specified rule provider and then matches the packet against the rules. If the packet matches any of the rules, the packet will be routed to the specified policy, otherwise the rule is skipped.
   136  
   137  ::: warning
   138  When encountering RULE-SET, Clash will resolve the domain name to an IP address **when the ruleset is of type IPCIDR**. If you want to skip the DNS resolution, use `no-resolve` option for the RULE-SET entry.
   139  :::
   140  
   141  `RULE-SET,my-rule-provider,DIRECT` loads all rules from `my-rule-provider` and sends the matched packets to the `DIRECT` outbound.
   142  
   143  ### SCRIPT
   144  
   145  ::: info
   146  This feature is only available in the [Premium](/premium/introduction) edtion.
   147  :::
   148  
   149  SCRIPT rules are special rules that are used to route packets based on the result of a [script shortcut](/premium/script-shortcuts). When Clash encounters this rule, it evaluates the expression. If it returns `true`, the packet will be routed to the specified policy, otherwise the rule is skipped.
   150  
   151  ::: warning
   152  When encountering this rule, Clash will resolve the domain name to an IP address. If you want to skip the DNS resolution, use `no-resolve` option.
   153  :::
   154  
   155  `SCRIPT,SHORTCUT-NAME,policy` routes any packets to `policy` if they have the shortcut evaluated `true`.
   156  
   157  ### MATCH
   158  
   159  `MATCH,policy` routes the rest of the packets to `policy`. This rule is **required** and is usually used as the last rule.