netbirdio · hakansa · Sep 25, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
diff --git a/client/internal/engine.go b/client/internal/engine.go
@@ -453,8 +453,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		return fmt.Errorf("up wg interface: %w", err)
 	}
 
-
-
 	// if inbound conns are blocked there is no need to create the ACL manager
 	if e.firewall != nil && !e.config.BlockInbound {
 		e.acl = acl.NewDefaultManager(e.firewall)
@@ -760,7 +758,7 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	}
 
 	nm := update.GetNetworkMap()
-	if nm == nil {
+	if nm == nil || update.SkipNetworkMapUpdate {
 		return nil
 	}
 

diff --git a/client/system/info.go b/client/system/info.go
@@ -96,6 +96,21 @@ func (i *Info) SetFlags(
 	i.LazyConnectionEnabled = lazyConnectionEnabled
 }
 
+func (i *Info) CopyFlagsFrom(other *Info) {
+	i.SetFlags(
+		other.RosenpassEnabled,
+		other.RosenpassPermissive,
+		&other.ServerSSHAllowed,
+		other.DisableClientRoutes,
+		other.DisableServerRoutes,
+		other.DisableDNS,
+		other.DisableFirewall,
+		other.BlockLANAccess,
+		other.BlockInbound,
+		other.LazyConnectionEnabled,
+	)
+}
+
 // extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context
 func extractUserAgent(ctx context.Context) string {
 	md, hasMeta := metadata.FromOutgoingContext(ctx)

diff --git a/shared/management/client/grpc.go b/shared/management/client/grpc.go
@@ -44,6 +44,9 @@ type GrpcClient struct {
 	conn                  *grpc.ClientConn
 	connStateCallback     ConnStateNotifier
 	connStateCallbackLock sync.RWMutex
+	// lastNetworkMapSerial stores last seen network map serial to optimize sync
+	lastNetworkMapSerial   uint64
+	lastNetworkMapSerialMu sync.Mutex
 }
 
 // NewClient creates a new client to Management service
@@ -216,11 +219,23 @@ func (c *GrpcClient) GetNetworkMap(sysInfo *system.Info) (*proto.NetworkMap, err
 		return nil, fmt.Errorf("invalid msg, required network map")
 	}
 
+	// update last seen serial
+	c.setLastNetworkMapSerial(decryptedResp.GetNetworkMap().GetSerial())
+
 	return decryptedResp.GetNetworkMap(), nil
 }
 
 func (c *GrpcClient) connectToStream(ctx context.Context, serverPubKey wgtypes.Key, sysInfo *system.Info) (proto.ManagementService_SyncClient, error) {
-	req := &proto.SyncRequest{Meta: infoToMetaData(sysInfo)}
+	// Always compute latest system info to ensure up-to-date PeerSystemMeta on first and subsequent syncs
+	recomputed := system.GetInfo(c.ctx)
+	if sysInfo != nil {
+		recomputed.CopyFlagsFrom(sysInfo)
+		// carry over posture files if any were computed
+		if len(sysInfo.Files) > 0 {
+			recomputed.Files = sysInfo.Files
+		}
+	}
+	req := &proto.SyncRequest{Meta: infoToMetaData(recomputed), NetworkMapSerial: c.getLastNetworkMapSerial()}
 
 	myPrivateKey := c.key
 	myPublicKey := myPrivateKey.PublicKey()
@@ -258,6 +273,11 @@ func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, se
 			return err
 		}
 
+		// track latest network map serial if present
+		if decryptedResp.GetNetworkMap() != nil {
+			c.setLastNetworkMapSerial(decryptedResp.GetNetworkMap().GetSerial())
+		}
+
 		if err := msgHandler(decryptedResp); err != nil {
 			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
 		}
@@ -582,3 +602,18 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 		},
 	}
 }
+
+// setLastNetworkMapSerial updates the cached last seen network map serial in a 32-bit safe manner
+func (c *GrpcClient) setLastNetworkMapSerial(serial uint64) {
+	c.lastNetworkMapSerialMu.Lock()
+	c.lastNetworkMapSerial = serial
+	c.lastNetworkMapSerialMu.Unlock()
+}
+
+// getLastNetworkMapSerial returns the cached last seen network map serial in a 32-bit safe manner
+func (c *GrpcClient) getLastNetworkMapSerial() uint64 {
+	c.lastNetworkMapSerialMu.Lock()
+	v := c.lastNetworkMapSerial
+	c.lastNetworkMapSerialMu.Unlock()
+	return v
+}
diff --git a/shared/management/proto/management.pb.go b/shared/management/proto/management.pb.go
diff --git a/shared/management/proto/management.proto b/shared/management/proto/management.proto
@@ -63,6 +63,8 @@ message EncryptedMessage {
 message SyncRequest {
   // Meta data of the peer
   PeerSystemMeta meta = 1;
+  // Optional: last known NetworkMap serial number on the client
+  uint64 networkMapSerial = 2;
 }
 
 // SyncResponse represents a state that should be applied to the local peer (e.g. Netbird servers config as well as local peer and remote peers configs)
@@ -85,6 +87,9 @@ message SyncResponse {
 
   // Posture checks to be evaluated by client
   repeated Checks Checks = 6;
+
+  // Indicates whether the client should skip updating the network map
+  bool skipNetworkMapUpdate = 7;
 }
 
 message  SyncMetaRequest {