Move network.client.ip out of AppSec into HttpServerDecorator

smola · smola · commit 2a1428eb2abf · 2026-04-27T13:31:39.000+02:00
network.client.ip now shares the same activation logic as http.client_ip
(DD_APPSEC_ENABLED or DD_TRACE_CLIENT_IP_ENABLED) and is no longer
exclusive to AppSec events. Move it from GatewayBridge (where it was
set only when security events fired) into HttpServerDecorator alongside
http.client_ip, using the raw peer/socket IP.

actor.ip remains in AppSec as a deprecated backward-compatibility tag.
diff --git a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java
@@ -370,6 +370,9 @@ public AgentSpan onRequest(
       } else {
         span.setTag(Tags.PEER_HOST_IPV4, peerIp);
       }
+      if (clientIpResolverEnabled) {
+        span.setTag(Tags.NETWORK_CLIENT_IP, peerIp);
+      }
     }
     setPeerPort(span, peerPort);
     Flow<Void> flow = callIGCallbackAddressAndPort(span, peerIp, peerPort, inferredAddressStr);
diff --git a/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecoratorTest.groovy b/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecoratorTest.groovy
@@ -218,6 +218,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     1 * this.span.setTag(Tags.HTTP_FORWARDED_HOST, "somehost")
     if (conn?.peerIp) {
       1 * this.span.setTag(ipv4 ? Tags.PEER_HOST_IPV4 : Tags.PEER_HOST_IPV6, conn.peerIp)
+      1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, conn.peerIp)
     }
     if (conn?.ip) {
       1 * this.span.setTag(Tags.HTTP_CLIENT_IP, conn.ip)
@@ -253,6 +254,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
 
     then:
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, result)
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, peerIpAddr)
 
     where:
     headerIpAddr | peerIpAddr  | result
@@ -277,6 +279,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec disables header collection and ip address resolution'() {
@@ -294,6 +297,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec but enabling client_ip_without_appsec enables header collection and ip address resolution'() {
@@ -313,6 +317,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     2 * extracted.getXForwardedFor() >> '2.3.4.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '2.3.4.5')
     1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, '2.3.4.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
 
     // Forwarded doesn't participate in client ip resolution anymore
     1 * extracted.getForwarded() >> 'for=9.9.9.9'
@@ -333,6 +338,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     then:
     1 * extracted.getCustomIpHeader() >> '5.5.5.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '5.5.5.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
   }
 
   def "test onResponse"() {
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -986,9 +986,6 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
         span.setTag("appsec.event", true);
 
-        String peerAddress = ctx.getPeerAddress();
-        span.setTag("network.client.ip", peerAddress);
-
         // Reflect client_ip as actor.ip for backward compatibility
         Object clientIp = tags.get(Tags.HTTP_CLIENT_IP);
         if (clientIp != null) {
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
@@ -194,7 +194,6 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * spanInfo.setMetric("_dd.appsec.enabled", 1)
     1 * spanInfo.setTag("_dd.runtime_family", "jvm")
     1 * spanInfo.setTag('appsec.event', true)
-    1 * spanInfo.setTag('network.client.ip', '2001::1')
     1 * spanInfo.setTag('actor.ip', '1.1.1.1')
     1 * traceSegment.setDataTop('appsec', new AppSecEventWrapper([event]))
     1 * mockAppSecCtx.isWafBlocked()
diff --git a/dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy b/dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy
@@ -2497,13 +2497,15 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
             "$Tags.HTTP_CLIENT_IP" {
               it == "0:0:0:0:0:0:0:1" || (endpoint == FORWARDED && it == endpoint.body)
             }
+            "$Tags.NETWORK_CLIENT_IP" "0:0:0:0:0:0:0:1"
           } else {
             "$Tags.PEER_HOST_IPV4" {
               it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
             }
             "$Tags.HTTP_CLIENT_IP" {
               it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
             }
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
           }
         } else {
           "$Tags.HTTP_CLIENT_IP" clientIp
diff --git a/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy b/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy
@@ -486,6 +486,11 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       assert it['rule']['tags']['type'] == 'attack_tool'
     }
     rootSpans.each { assert it.meta['actor.ip'] == '1.2.3.4' }
+    rootSpans.each {
+      // network.client.ip is the raw peer (socket) address, not the header-spoofed value
+      assert it.meta['network.client.ip'] != null
+      assert it.meta['network.client.ip'] != '1.2.3.4'
+    }
     rootSpans.each {
       assert it.meta['http.response.headers.content-type'] == 'text/plain;charset=UTF-8'
       assert it.meta['http.response.headers.content-length'] == '15'
diff --git a/internal-api/src/main/java/datadog/trace/bootstrap/instrumentation/api/Tags.java b/internal-api/src/main/java/datadog/trace/bootstrap/instrumentation/api/Tags.java
@@ -27,6 +27,7 @@ public class Tags {
   public static final String HTTP_FORWARDED_PORT = "http.forwarded.port";
   public static final String HTTP_USER_AGENT = "http.useragent";
   public static final String HTTP_CLIENT_IP = "http.client_ip";
+  public static final String NETWORK_CLIENT_IP = "network.client.ip";
   public static final String HTTP_REQUEST_CONTENT_LENGTH = "http.request_content_length";
   public static final String HTTP_RESPONSE_CONTENT_LENGTH = "http.response_content_length";
   public static final String PEER_HOST_IPV4 = "peer.ipv4";

Original file line number	Diff line number	Diff line change
`@@ -370,6 +370,9 @@ public AgentSpan onRequest(`
`370`	`370`	`} else {`
`371`	`371`	`span.setTag(Tags.PEER_HOST_IPV4, peerIp);`
`372`	`372`	`}`
	`373`	`+ if (clientIpResolverEnabled) {`
	`374`	`+ span.setTag(Tags.NETWORK_CLIENT_IP, peerIp);`
	`375`	`+ }`
`373`	`376`	`}`
`374`	`377`	`setPeerPort(span, peerPort);`
`375`	`378`	`Flow<Void> flow = callIGCallbackAddressAndPort(span, peerIp, peerPort, inferredAddressStr);`
Original file line number	Diff line number	Diff line change
`@@ -2497,13 +2497,15 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {`
`2497`	`2497`	`"$Tags.HTTP_CLIENT_IP" {`
`2498`	`2498`	`it == "0:0:0:0:0:0:0:1" \|\| (endpoint == FORWARDED && it == endpoint.body)`
`2499`	`2499`	`}`
	`2500`	`+ "$Tags.NETWORK_CLIENT_IP" "0:0:0:0:0:0:0:1"`
`2500`	`2501`	`} else {`
`2501`	`2502`	`"$Tags.PEER_HOST_IPV4" {`
`2502`	`2503`	`it == "127.0.0.1" \|\| (endpoint == FORWARDED && it == endpoint.body)`
`2503`	`2504`	`}`
`2504`	`2505`	`"$Tags.HTTP_CLIENT_IP" {`
`2505`	`2506`	`it == "127.0.0.1" \|\| (endpoint == FORWARDED && it == endpoint.body)`
`2506`	`2507`	`}`
	`2508`	`+ "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"`
`2507`	`2509`	`}`
`2508`	`2510`	`} else {`
`2509`	`2511`	`"$Tags.HTTP_CLIENT_IP" clientIp`