cmd/tsconnect/wasm/wasm_js.go

@@ -366,6 +366,13 @@ func newIPN(jsConfig js.Value, shutdownCh chan struct{}) map[string]any {
 		"shutdown": js.FuncOf(func(this js.Value, args []js.Value) any {
 			return jsIPN.shutdown()
 		}),
+		"setServices": js.FuncOf(func(this js.Value, args []js.Value) any {
+			if len(args) != 1 {
+				log.Printf("Usage: setServices(services)")
+				return nil
+			}
+			return jsIPN.setServices(args[0])
+		}),
 		"localAPI": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) < 2 {
 				log.Printf("Usage: localAPI(method, path[, body])")
@@ -478,6 +485,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						NodeKey:    nm.NodeKey.String(),
 						MachineKey: nm.MachineKey.String(),
 						PeerAPIURL: selfPeerAPIURL,
+						Services:   userServicesFromView(nm.SelfNode.Hostinfo().Services()),
 					},
 					MachineStatus: jsMachineStatus[nm.GetMachineStatus()],
 				},
@@ -527,6 +535,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 							MachineKey: p.Machine().String(),
 							NodeKey:    p.Key().String(),
 							PeerAPIURL: peerURL,
+							Services:   userServicesFromView(p.Hostinfo().Services()),
 						},
 						Online:              p.Online().Clone(),
 						TailscaleSSHEnabled: p.Hostinfo().TailscaleSSHEnabled(),
@@ -1362,6 +1371,39 @@ func (i *jsIPN) suggestExitNode() js.Value {
 	})
 }
 
+func (i *jsIPN) setServices(jsServices js.Value) js.Value {
+	return makePromise(func() (any, error) {
+		n := jsServices.Length()
+		svcs := make([]tailcfg.Service, 0, n)
+		for idx := range n {
+			s := jsServices.Index(idx)
+			proto := tailcfg.ServiceProto(s.Get("proto").String())
+			port := uint16(s.Get("port").Int())
+			var desc string
+			if d := s.Get("description"); d.Type() == js.TypeString {
+				desc = d.String()
+			}
+			svcs = append(svcs, tailcfg.Service{Proto: proto, Port: port, Description: desc})
+		}
+		i.lb.SetExplicitServices(svcs)
+		return nil, nil
+	})
+}
+
+// userServicesFromView converts a hostinfo services slice to jsService entries,
+// filtering out internal peerapi protocol entries (already reflected in peerAPIURL).
+func userServicesFromView(svcs views.Slice[tailcfg.Service]) []jsService {
+	out := make([]jsService, 0, svcs.Len())
+	for _, s := range svcs.All() {
+		switch s.Proto {
+		case tailcfg.PeerAPI4, tailcfg.PeerAPI6, tailcfg.PeerAPIDNS:
+			continue
+		}
+		out = append(out, jsService{Proto: string(s.Proto), Port: s.Port, Description: s.Description})
+	}
+	return out
+}
+
 func (i *jsIPN) localAPI(method, path, body string) js.Value {
 	return makePromise(func() (any, error) {
 		h := localapi.NewHandler(localapi.HandlerConfig{
@@ -1598,12 +1640,19 @@ type jsNetMap struct {
 	LockedOut bool               `json:"lockedOut"`
 }
 
+type jsService struct {
+	Proto       string `json:"proto"`
+	Port        uint16 `json:"port"`
+	Description string `json:"description,omitempty"`
+}
+
 type jsNetMapNode struct {
 	Name       string      `json:"name"`
 	Addresses  []string    `json:"addresses"`
 	MachineKey string      `json:"machineKey"`
 	NodeKey    string      `json:"nodeKey"`
 	PeerAPIURL string      `json:"peerAPIURL,omitempty"`
+	Services   []jsService `json:"services"`
 }
 
 type jsNetMapSelfNode struct {

control/controlclient/auto.go

@@ -302,6 +302,12 @@ func (c *Auto) restartMap() {
 	c.updateControl()
 }
 
+// RestartMap cancels the existing map poll and starts a fresh streaming one,
+// forcing the control server to send a new full netmap response.
+func (c *Auto) RestartMap() {
+	c.restartMap()
+}
+
 func (c *Auto) authRoutine() {
 	defer close(c.authDone)
 	bo := backoff.NewBackoff("authRoutine", c.logf, 30*time.Second)

ipn/ipnlocal/local.go

@@ -294,6 +294,7 @@ type LocalBackend struct {
 	capTailnetLock bool      // whether netMap contains the tailnet lock capability
 	// hostinfo is mutated in-place while mu is held.
 	hostinfo          *tailcfg.Hostinfo      // TODO(nickkhyl): move to nodeBackend
+	explicitServices  []tailcfg.Service      // services set explicitly via SetExplicitServices; always uploaded
 	nmExpiryTimer     tstime.TimerController // for updating netMap on node expiry; can be nil; TODO(nickkhyl): move to nodeBackend
 	activeLogin       string                 // last logged LoginName from netMap; TODO(nickkhyl): move to nodeBackend (or remove? it's in [ipn.LoginProfile]).
 	engineStatus      ipn.EngineStatus
@@ -4967,6 +4968,30 @@ func (b *LocalBackend) setPortlistServices(sl []tailcfg.Service) {
 	b.doSetHostinfoFilterServices()
 }
 
+// SetExplicitServices sets the services this node advertises on the netmap.
+// Unlike the OS port-scan path (setPortlistServices), services set here are
+// always uploaded to the control server regardless of the ShouldUploadServices
+// hook — suitable for environments like browser WASM where OS port scanning is
+// unavailable and services are declared programmatically.
+func (b *LocalBackend) SetExplicitServices(sl []tailcfg.Service) {
+	b.mu.Lock()
+	if b.hostinfo == nil {
+		b.hostinfo = new(tailcfg.Hostinfo)
+	}
+	b.hostinfo.Services = sl
+	b.explicitServices = sl
+	ccAuto := b.ccAuto
+	b.mu.Unlock()
+
+	b.doSetHostinfoFilterServices()
+	// Restart the streaming map poll so the control server sends back a fresh
+	// netmap that includes our updated services in SelfNode, and so peers
+	// receive the update promptly via the control server's push.
+	if ccAuto != nil {
+		ccAuto.RestartMap()
+	}
+}
+
 // doSetHostinfoFilterServices calls SetHostinfo on the controlclient,
 // possibly after mangling the given hostinfo.
 //
@@ -5011,8 +5036,10 @@ func (b *LocalBackend) hostInfoWithServicesLocked() *tailcfg.Hostinfo {
 	// Make a shallow copy of hostinfo so we can mutate
 	// at the Service field.
 	if f, ok := b.extHost.Hooks().ShouldUploadServices.GetOk(); !ok || !f() {
+		if len(b.explicitServices) == 0 {
 			hi.Services = []tailcfg.Service{}
 		}
+	}
 
 	// Don't mutate hi.Service's underlying array. Append to
 	// the slice with no free capacity.