Description

After upgrading from 2026.2.19-2 to 2026.2.22-2, web_fetch blocks all requests with:

Blocked: resolves to private/internal/special-use IP address

This is caused by the new RFC2544_BENCHMARK_PREFIX check (198.18.0.0/15) added in ssrf-*.js.

Root Cause

Clash/mihomo (widely used proxy tool in China) uses enhanced-mode: fake-ip with fake-ip-range: 198.18.0.1/16 by default. In TUN mode, all DNS queries return virtual IPs in the 198.18.x.x range, which are then transparently forwarded to the real destination by the Clash kernel.

The new SSRF rule treats 198.18.0.0/15 as a special-use range and blocks it, breaking web_fetch for all users running Clash/mihomo in fake-ip mode.

Impact

• web_fetch is completely unusable under Clash fake-ip mode
• web_search (Brave API) is unaffected (server-side request)
• browser tool has ssrfPolicy.allowPrivateNetwork config option, but web_fetch does not
• Affects a large number of users in China who rely on Clash/mihomo for network access

Steps to Reproduce

1. Run Clash/mihomo with enhanced-mode: fake-ip and fake-ip-range: 198.18.0.1/16
2. Enable TUN mode
3. Use web_fetch to access any URL
4. All requests are blocked

Expected Behavior

web_fetch should work under Clash fake-ip mode, as it did in 2026.2.19-2.

Suggested Fix

Either:

1. Expose ssrfPolicy.allowPrivateNetwork for web_fetch (like browser already has)
2. Or add a global tools.web.fetch.ssrfPolicy config option
3. Or reconsider blocking 198.18.0.0/15 since it is commonly used by proxy tools as a virtual IP range

Environment

• OpenClaw: 2026.2.22-2
• OS: macOS 26.0.1 (arm64)
• Clash Verge Rev + mihomo kernel
• DNS: fake-ip mode, range 198.18.0.1/16