7. Routing, Rules, and Policies#

The routing system decides "which outbound a connection ultimately uses." Link1 evaluates rules in order and returns the result from the first matching rule.

Minimal Rule#

rules:
  - MATCH,DIRECT

Meaning: all connections go direct.

Common proxy configuration:

rules:
  - DOMAIN-SUFFIX,google.com,PROXY
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

Meaning:

*.google.com uses PROXY.

If the destination IP belongs to CN, use DIRECT.

All other connections use PROXY.

Rule Format#

Regular rules:

TYPE,ARGUMENT,ACTION[,OPTIONS]

MATCH:

MATCH,ACTION

Logical rules:

AND,((rule1),(rule2)),ACTION
OR,((rule1),(rule2)),ACTION
NOT,((rule1)),ACTION

Sub-rule jump:

SUB-RULE,(condition expression),sub-rule name

Commas and Quotes#

Rule lines use commas to separate fields. In general, node names, policy group names, RULE-SET names, and SUB-RULE names should not contain commas. If they do contain commas, wrap the corresponding field in double quotes:

rules:
  - DOMAIN-SUFFIX,corp.example,"Corp, VPN"
  - RULE-SET,"$Corp, VPN","Corp, VPN"
  - MATCH,"Fallback, Group"

Inside double quotes, use a backslash to escape " and \. Single quotes can also wrap fields; inside single quotes, use two single quotes to represent one literal single quote. Quotes only affect comma splitting and removal of the surrounding quotes; they do not change field semantics. The action must still match an actual node name or policy group name.

What Is an Action?#

An action is the target that handles a rule match. It can be:

DIRECT: connect directly.

REJECT: reject the connection.

A static node name.

A node name generated by a provider.

A policy group name.

If the action does not exist, configuration compilation fails.

Complete Rule Type List#

Domain Rules#

Type	Argument	Meaning	Example
`DOMAIN`	Domain	Exact domain match	`DOMAIN,example.com,DIRECT`
`DOMAIN-SUFFIX`	Suffix	Match domain suffix	`DOMAIN-SUFFIX,google.com,PROXY`
`DOMAIN-KEYWORD`	Keyword	Domain contains keyword	`DOMAIN-KEYWORD,google,PROXY`
`DOMAIN-WILDCARD`	Wildcard	Match using `*` wildcard	`DOMAIN-WILDCARD,*.example.com,PROXY`
`DOMAIN-REGEX`	Regex	Match domain by regex	`DOMAIN-REGEX,^api\..*,PROXY`
`GEOSITE`	Category	Match by GeoSite category	`GEOSITE,cn,DIRECT`

Practical impact: these rules require Link1 to know the domain name. Explicit proxies can usually obtain the domain; TUN/transparent proxying depends on DNS/Fake-IP/Sniffer.

IP, GeoIP, and ASN Rules#

Type	Argument	Meaning	Example
`IP-CIDR`	CIDR	Destination IP belongs to a subnet	`IP-CIDR,10.0.0.0/8,DIRECT,no-resolve`
`IP-CIDR6`	IPv6 CIDR	Destination IPv6 belongs to a subnet	`IP-CIDR6,fc00::/7,DIRECT,no-resolve`
`IP-SUFFIX`	IP suffix	Match destination IP suffix	`IP-SUFFIX,1.2,DIRECT`
`IP-ASN`	ASN	Match destination IP ASN	`IP-ASN,13335,PROXY`
`GEOIP`	Country/region code	Match destination IP GeoIP	`GEOIP,CN,DIRECT`
`SRC-GEOIP`	Country/region code	Match source IP GeoIP	`SRC-GEOIP,CN,DIRECT`
`SRC-IP-ASN`	ASN	Match source IP ASN	`SRC-IP-ASN,45102,DIRECT`
`SRC-IP-CIDR`	CIDR	Source IP belongs to a subnet	`SRC-IP-CIDR,192.168.9.0/24,DIRECT`
`SRC-IP-SUFFIX`	IP suffix	Match source IP suffix	`SRC-IP-SUFFIX,9.10,DIRECT`

Effect of no-resolve:

When written after an IP-related rule, it means do not actively resolve the domain for this rule.

Suitable for rules that do not need DNS, such as reserved addresses and private network addresses.

If the destination only has a domain and the rule requires an IP, it will not match without resolution.

Port, Inbound, and Network Rules#

Type	Argument	Meaning	Example
`DST-PORT`	Port/range	Match destination port	`DST-PORT,443,PROXY`
`SRC-PORT`	Port/range	Match source port	`SRC-PORT,50000-60000,DIRECT`
`IN-PORT`	Port/range	Match inbound port	`IN-PORT,7890,PROXY`
`IN-TYPE`	Type, separated by `/`	Match inbound type	`IN-TYPE,tun/HTTP,PROXY`
`IN-USER`	User, separated by `/`	Match inbound authenticated user	`IN-USER,alice,PROXY`
`IN-NAME`	Inbound name, separated by `/`	Match listener/TUN and other entry names	`IN-NAME,hy2-in,PROXY`
`NETWORK`	`tcp` or `udp`	Match network type	`NETWORK,udp,PROXY`
`DSCP`	0-63 or range	Match DSCP value	`DSCP,46,PROXY`

Common port range formats: 80, 443, 10000-20000. In TUN selectors, port ranges use start:end; in rules, use the range format supported by the rule parser.

Process and UID Rules#

Type	Argument	Meaning	Example
`PROCESS-PATH`	Path	Exact process path match	`PROCESS-PATH,/usr/bin/curl,DIRECT`
`PROCESS-PATH-WILDCARD`	Wildcard	Wildcard process path match	`PROCESS-PATH-WILDCARD,*/Chrome,PROXY`
`PROCESS-PATH-REGEX`	Regex	Regex process path match	`PROCESS-PATH-REGEX,./Chrome.,PROXY`
`PROCESS-NAME`	Name	Exact process name match	`PROCESS-NAME,curl,DIRECT`
`PROCESS-NAME-WILDCARD`	Wildcard	Wildcard process name match	`PROCESS-NAME-WILDCARD,Google*,PROXY`
`PROCESS-NAME-REGEX`	Regex	Regex process name match	`PROCESS-NAME-REGEX,.Chrome.,PROXY`
`UID`	UID or range	Linux/Android UID match	`UID,1000-1002,PROXY`

Practical impact:

Process rules depend on platform capabilities and find-process-mode.

Process information may be unavailable on routers, in containers, or under limited system permissions.

UID rules are only supported on Linux/Android.

Rule Sets and Logical Rules#

Type	Argument	Meaning	Example
`RULE-SET`	Rule set name	Reference `rule-providers` or `rule-sets`	`RULE-SET,private,DIRECT`
`AND`	Rule expression	All conditions must be met	`AND,((DOMAIN-SUFFIX,example.com),(DST-PORT,443)),PROXY`
`OR`	Rule expression	Any condition is met	`OR,((DOMAIN,a.com),(DOMAIN,b.com)),PROXY`
`NOT`	Rule expression	Condition is not met	`NOT,((GEOIP,CN)),PROXY`
`SUB-RULE`	Condition + sub-rule name	Jump to a sub-rule when the condition is met	`SUB-RULE,(DST-PORT,443),tls-flow`
`MATCH`	None	Fallback	`MATCH,DIRECT`

MATCH and SUB-RULE cannot be used as inner matchers in logical rules.

Sub-rules#

Sub-rules let you extract part of the rule flow:

sub-rules:
  tls-flow:
    - DOMAIN-SUFFIX,openai.com,AI
    - DOMAIN-SUFFIX,github.com,PROXY
    - MATCH,DIRECT

rules:
  - SUB-RULE,(DST-PORT,443),tls-flow
  - MATCH,DIRECT

Practical impact:

After the main rule matches the SUB-RULE condition, matching continues in the specified sub-rule list.

The sub-rule name must exist.

Avoid circular references.

rule-providers#

Rule providers load large numbers of rules from HTTP, files, or inline payloads.

rule-providers:
  private:
    type: http
    behavior: domain
    format: text
    url: https://example.com/private.txt
    path: ./rules/private.txt
    interval: 86400
    proxy: DIRECT
    size-limit: 1048576

rules:
  - RULE-SET,private,DIRECT

Field effects:

Field	Meaning	Practical impact
`type`	`http`, `file`, `inline`	Determines the rule source
`behavior`	`domain`, `ipcidr`, `classical`	Determines how the payload is interpreted and optimized
`format`	`yaml`, `text`, `mrs`	Determines the file format
`url`	HTTP URL	Used when `type=http`
`path`	Local path/cache path	Used for `http` cache or `file` reading
`interval`	Refresh interval, in seconds	Controls automatic refresh frequency
`proxy`	Outbound used to download the provider	Prevents rule subscriptions from being blocked by the network environment
`header`	HTTP request headers	Used for authentication or User-Agent
`payload`	Inline rules	Used when `type=inline`
`size-limit`	Download size limit	Prevents abnormally large responses from consuming memory/disk

Choosing behavior#

behavior	Payload content	Suitable for
`domain`	Domains, suffixes, keywords, etc.	Domain-based routing
`ipcidr`	CIDR lists	IP-based routing, TUN route sets
`classical`	Full rule syntax	Reusing complex rule lists

rule-sets#

rule-sets are parsed/inline rule set configurations, usually used for runtime or advanced configuration. Users should generally prefer rule-providers.

Recommended Rule Order#

Recommended order: from specific to general.

rules:
  # 1. Localhost, LAN, and management plane
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - DOMAIN-SUFFIX,lan,DIRECT

  # 2. Explicit business domains
  - DOMAIN-SUFFIX,openai.com,AI
  - DOMAIN-SUFFIX,github.com,PROXY

  # 3. Large rule sets
  - RULE-SET,reject,REJECT
  - RULE-SET,private,DIRECT
  - RULE-SET,china,DIRECT
  - RULE-SET,global,PROXY

  # 4. IP geo rules
  - GEOIP,CN,DIRECT

  # 5. Final fallback
  - MATCH,PROXY

Testing Rules with Link1 App#

The rule testing feature in Link1 App can construct a "virtual connection." It does not actually access the network; it only checks how rules would match. Common inputs include:

Input	Example	Affects which rules
Destination domain	`chat.example.com`	`DOMAIN`, `DOMAIN-SUFFIX`, `GEOSITE`
Destination IP	`1.1.1.1`	`IP-CIDR`, `GEOIP`, `IP-ASN`
Port	`443`	`DST-PORT`
Network type	`tcp` / `udp`	`NETWORK`
Inbound type	`mixed` / `tun`	`IN-TYPE`, `IN-NAME`, `IN-PORT`
Source IP	`192.168.9.10`	`SRC-IP-CIDR`, `SRC-GEOIP`

Focus on three things in the test result:

Which rule was matched.

Whether the final action is a node, policy group, DIRECT, or REJECT.

Whether it fell through to the fallback MATCH due to a missing domain, missing source information, or rule order.

If the rule test is correct but the real connection is not, the real connection metadata differs from the test input. The most common reason is that under transparent proxying/TUN, the real connection only has an IP and no domain.