Clash Rule Provider Guide: Build Smart Routing Rules

Published by Clash Official Site. Rule-based routing is Clash's core feature: local sites direct, proxied services via proxy, ad domains blocked — all depending on rules and their domain/IP lists. Writing thousands of rules directly into your config is unwieldy and hard to maintain; every update requires a manual merge. Rule Provider (rule-set provider) lets rules be updated online and managed modularly — just like subscription-based node lists. This article explains how rule sets work and how to configure them in Mihomo / Clash Meta.

The Difference Between Rules and Rule Sets

A single rule looks like DOMAIN-SUFFIX,google.com,PROXY or GEOSITE,cn,DIRECT — it tells the core "how to handle this type of destination." A rule set is a collection of rules, typically maintained by the community or providers, split by category (e.g. "local domains," "ad blocking," "streaming services").

Rule Provider loads these collections from a remote URL or local path and auto-syncs them on a configured schedule. Your config file only needs to reference the provider name, then call it in the rules section via RULE-SET — drastically simplifying maintenance.

Think of Rule Provider as "a subscription link for rules" — content updates independently while your main config stays clean.

behavior Types: domain, ipcidr, classical

Each rule set must declare a behavior that determines file format and matching method:

• domain: Plain domain list, converted to DOMAIN / DOMAIN-SUFFIX rules at match time. Good for site-based routing.
• ipcidr: IP range list, for fine-grained IP routing beyond GEOIP, or blacklists.
• classical: Full rule lines that can include multiple rule types — most flexible, but largest file size.

In subscriptions, geosite-type sets are usually domain behavior; geoip-type sets are usually ipcidr. Using the wrong behavior causes loading or matching failures — must match what the rule set author specifies.

Configuring Rule Provider in Practice

In your YAML config, the rule-providers section defines providers and the rules section references them. The following example shows a typical setup importing open-source community rule sets:

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://example.com/rules/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://example.com/rules/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

rules:
  - RULE-SET,reject,REJECT
  - RULE-SET,direct,DIRECT
  - GEOSITE,cn,DIRECT
  - GEOIP,cn,DIRECT
  - MATCH,PROXY

type: http means fetch from remote URL; path is the local cache path; interval is the auto-update interval in seconds. type: file is also supported for purely local rule sets — useful for small custom lists.

Relationship with Provider Subscription Rules

Many proxy provider Clash subscriptions already include complete rules and rule-providers built in — import and go, no extra setup needed. Scenarios where you'd add your own Rule Provider: adding an ad-blocking list, a company intranet direct-connect list, or a community-maintained streaming routing rule.

When merging, remember rules match top-to-bottom, first match wins. Generally put REJECT (ads/malicious) first, then DIRECT (local/intranet), then MATCH as the catch-all for proxy. Wrong ordering can route local traffic into the proxy via the final MATCH, slowing local access.

Maintenance Tips

1. Only use trusted Rule Provider URLs — malicious rules can hijack your traffic.
2. Limit the number of rule sets; too many remote fetches slow startup and update times.
3. If rules behave oddly after a subscription update, check the client logs to confirm the RULE-SET loaded successfully.
4. Most GUI clients support "Update external resources" to manually trigger a rule set refresh.

Common Issues

Rule set update fails: Check if the URL needs a proxy to access. Some GitHub Raw links may need a proxy — include that traffic in your rules or switch to a mirror.

Rule not firing: Confirm rules includes the RULE-SET,name,POLICY entry and the name matches the rule-providers key exactly.

Overlap with GEOSITE: Built-in geosite.dat and external RULE-SET can coexist, but watch the order to avoid duplicate matching causing performance loss.

Summary

Rule Provider upgrades Clash rule management from "manual stacking" to "modular subscription" — the key tool for advanced users building custom routing strategies. Once you understand behavior types, reference order, and the update mechanism, you can freely combine local direct, ad filtering, and dedicated routing rules without editing thousands of lines by hand.

Need clients and config templates? Visit the official download page for Mihomo core and GUI clients, and read the setup guide to complete your first subscription import.

Related Articles

• Clash DNS Configuration Guide
• Proxy Protocols Compared: SS, VMess, Trojan
• Load Balancing & Failover: Policy Groups
• Clash External Dashboard Guide