Summary
Settings.proxyIgnoreList (the "忽略 / Ignore" list in More Settings → General) is written to the macOS system-proxy bypass list via kCFNetworkProxiesExceptionsList, but mihomo does not read that list. In Rule mode every packet goes:
App → macOS system proxy (127.0.0.1:7890) → mihomo → matched against rules → out via DIRECT / Proxy
↑
mihomo never consults macOS bypass settings
Result: the entries the user puts in this UI have zero effect on actual proxy routing in Rule mode. The list is silently ignored, but the UI presents it as if it filters traffic.
Reproduce
- Run ClashFX in Rule mode (Enhanced Mode OFF)
- More Settings → General → Ignore List → add
*.126.net (or any domain the active subscription routes via Proxy)
- Open the affected app (e.g. NetEase Music)
- ClashFX → Connections viewer → observe the
126.net connection still goes through Proxy, matched by MATCH or GeoIP rules
Root cause
Two independent bypass mechanisms exist:
| Setting |
Stored As |
Applied To |
Honored In |
proxyIgnoreList (this issue) |
macOS kCFNetworkProxiesExceptionsList via privileged helper |
System-level HTTP proxy bypass list |
Apps that read system proxy settings directly (Safari, curl, …). Not read by mihomo. |
tunRouteExcludeList |
Passed to clashWriteEnhancedConfig(...) Go function |
mihomo TUN config (tun.route-exclude etc.) |
Enhanced Mode only |
The Ignore List UI in Rule mode points at the wrong mechanism — it configures macOS, but macOS's setting is bypassed because traffic already goes through mihomo on 127.0.0.1:7890, and the mihomo rule engine doesn't look at macOS bypass.
Relevant code:
Reported by user
#104 — user added *.126.net to the ignore list expecting NetEase Music to bypass the proxy. It did not.
Proposed fix (one of)
Option A: Inject DIRECT rules into the active mihomo config
When the user edits proxyIgnoreList in Rule mode, ClashFX should also inject corresponding DOMAIN-SUFFIX,<entry>,DIRECT (or matching) rules at the top of the active config's rules: section, then trigger a config reload. This way the bypass actually takes effect because mihomo sees it.
- Pros: keeps existing UI affordance, fixes the silent-no-op behavior
- Cons: needs careful handling of subscription auto-update (which would otherwise overwrite the injection); also wildcard syntax has to be translated (
*.126.net → DOMAIN-SUFFIX,126.net)
Option B: Merge with #108 (mode-aware bypass toggle)
Deprecate the two-list design, replace with the unified mode-aware mechanism #108 is already designing. The Ignore List becomes a thin layer on top of #108's injection logic, working uniformly in both Rule and Enhanced modes.
Option C (short term): Disable + label the field in Rule mode
As a quick mitigation, grey out the Ignore List in Rule mode and add a tooltip: "macOS bypass list is not honored by the proxy engine in Rule mode. Use the config editor to add DOMAIN-SUFFIX,<host>,DIRECT rules instead."
Not satisfying but at least stops the silent no-op confusion until A or B lands.
Implementation tasks (Option A path)
Related
Summary
Settings.proxyIgnoreList(the "忽略 / Ignore" list in More Settings → General) is written to the macOS system-proxy bypass list viakCFNetworkProxiesExceptionsList, but mihomo does not read that list. In Rule mode every packet goes:Result: the entries the user puts in this UI have zero effect on actual proxy routing in Rule mode. The list is silently ignored, but the UI presents it as if it filters traffic.
Reproduce
*.126.net(or any domain the active subscription routes via Proxy)126.netconnection still goes through Proxy, matched byMATCHorGeoIPrulesRoot cause
Two independent bypass mechanisms exist:
proxyIgnoreList(this issue)kCFNetworkProxiesExceptionsListvia privileged helpertunRouteExcludeListclashWriteEnhancedConfig(...)Go functiontun.route-excludeetc.)The Ignore List UI in Rule mode points at the wrong mechanism — it configures macOS, but macOS's setting is bypassed because traffic already goes through mihomo on
127.0.0.1:7890, and the mihomo rule engine doesn't look at macOS bypass.Relevant code:
Settings.swift—proxyIgnoreListdefinitionSystemProxyManager.swift— passes the list to the helperProxyConfigHelper/ProxySettingTool.m— writeskCFNetworkProxiesExceptionsList(line ~151)Reported by user
#104 — user added
*.126.netto the ignore list expecting NetEase Music to bypass the proxy. It did not.Proposed fix (one of)
Option A: Inject DIRECT rules into the active mihomo config
When the user edits
proxyIgnoreListin Rule mode, ClashFX should also inject correspondingDOMAIN-SUFFIX,<entry>,DIRECT(or matching) rules at the top of the active config'srules:section, then trigger a config reload. This way the bypass actually takes effect because mihomo sees it.*.126.net→DOMAIN-SUFFIX,126.net)Option B: Merge with #108 (mode-aware bypass toggle)
Deprecate the two-list design, replace with the unified mode-aware mechanism #108 is already designing. The Ignore List becomes a thin layer on top of #108's injection logic, working uniformly in both Rule and Enhanced modes.
Option C (short term): Disable + label the field in Rule mode
As a quick mitigation, grey out the Ignore List in Rule mode and add a tooltip: "macOS bypass list is not honored by the proxy engine in Rule mode. Use the config editor to add
DOMAIN-SUFFIX,<host>,DIRECTrules instead."Not satisfying but at least stops the silent no-op confusion until A or B lands.
Implementation tasks (Option A path)
proxyIgnoreListentries into mihomo rule syntax (DOMAIN-SUFFIX,DOMAIN-KEYWORD,IP-CIDR, etc.) — esp. handle leading-wildcard like*.example.comrules:on Rule-mode activation / list changeRelated