Add cmd, proto, and generated gRPC code

Fix .gitignore pattern that was excluding mc-proxy subdirectories.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitignore

@@ -1,5 +1,5 @@
 # Binary
-mc-proxy
+/mc-proxy
 
 # Runtime data
 srv/

cmd/mc-proxy/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+var version = "dev"
+
+func main() {
+	if err := run(); err != nil {
+		fmt.Fprintf(os.Stderr, "mc-proxy: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	return rootCmd().Execute()
+}

cmd/mc-proxy/root.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func rootCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "mc-proxy",
+		Short:   "TLS proxy and router for Metacircular Dynamics services",
+		Version: version,
+	}
+
+	cmd.AddCommand(serverCmd())
+
+	return cmd
+}

cmd/mc-proxy/server.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+
+	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
+	"git.wntrmute.dev/kyle/mc-proxy/internal/grpcserver"
+	"git.wntrmute.dev/kyle/mc-proxy/internal/server"
+)
+
+func serverCmd() *cobra.Command {
+	var configPath string
+
+	cmd := &cobra.Command{
+		Use:   "server",
+		Short: "Start the proxy server",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, err := config.Load(configPath)
+			if err != nil {
+				return err
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+				Level: parseLogLevel(cfg.Log.Level),
+			}))
+
+			srv, err := server.New(cfg, logger, version)
+			if err != nil {
+				return err
+			}
+
+			ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+			defer cancel()
+
+			// Start gRPC admin API if configured.
+			if cfg.GRPC.Addr != "" {
+				grpcSrv, ln, err := grpcserver.New(cfg.GRPC, srv, logger)
+				if err != nil {
+					return err
+				}
+				logger.Info("gRPC admin API listening", "addr", ln.Addr())
+				go func() {
+					if err := grpcSrv.Serve(ln); err != nil {
+						logger.Error("gRPC server error", "error", err)
+					}
+				}()
+				defer grpcSrv.GracefulStop()
+			}
+
+			// SIGHUP reloads the GeoIP database.
+			sighup := make(chan os.Signal, 1)
+			signal.Notify(sighup, syscall.SIGHUP)
+			go func() {
+				for range sighup {
+					logger.Info("received SIGHUP, reloading GeoIP database")
+					if err := srv.ReloadGeoIP(); err != nil {
+						logger.Error("failed to reload GeoIP database", "error", err)
+					}
+				}
+			}()
+
+			logger.Info("mc-proxy starting", "version", version)
+			return srv.Run(ctx)
+		},
+	}
+
+	cmd.Flags().StringVarP(&configPath, "config", "c", "mc-proxy.toml", "path to configuration file")
+
+	return cmd
+}
+
+func parseLogLevel(s string) slog.Level {
+	switch s {
+	case "debug":
+		return slog.LevelDebug
+	case "warn":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	default:
+		return slog.LevelInfo
+	}
+}

gen/mc-proxy/v1/admin_grpc.pb.go

@@ -0,0 +1,355 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.1
+// - protoc             v6.33.4
+// source: proto/mc-proxy/v1/admin.proto
+
+package mcproxyv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	ProxyAdmin_ListRoutes_FullMethodName         = "/mc_proxy.v1.ProxyAdmin/ListRoutes"
+	ProxyAdmin_AddRoute_FullMethodName           = "/mc_proxy.v1.ProxyAdmin/AddRoute"
+	ProxyAdmin_RemoveRoute_FullMethodName        = "/mc_proxy.v1.ProxyAdmin/RemoveRoute"
+	ProxyAdmin_GetFirewallRules_FullMethodName   = "/mc_proxy.v1.ProxyAdmin/GetFirewallRules"
+	ProxyAdmin_AddFirewallRule_FullMethodName    = "/mc_proxy.v1.ProxyAdmin/AddFirewallRule"
+	ProxyAdmin_RemoveFirewallRule_FullMethodName = "/mc_proxy.v1.ProxyAdmin/RemoveFirewallRule"
+	ProxyAdmin_GetStatus_FullMethodName          = "/mc_proxy.v1.ProxyAdmin/GetStatus"
+)
+
+// ProxyAdminClient is the client API for ProxyAdmin service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type ProxyAdminClient interface {
+	// Routes
+	ListRoutes(ctx context.Context, in *ListRoutesRequest, opts ...grpc.CallOption) (*ListRoutesResponse, error)
+	AddRoute(ctx context.Context, in *AddRouteRequest, opts ...grpc.CallOption) (*AddRouteResponse, error)
+	RemoveRoute(ctx context.Context, in *RemoveRouteRequest, opts ...grpc.CallOption) (*RemoveRouteResponse, error)
+	// Firewall
+	GetFirewallRules(ctx context.Context, in *GetFirewallRulesRequest, opts ...grpc.CallOption) (*GetFirewallRulesResponse, error)
+	AddFirewallRule(ctx context.Context, in *AddFirewallRuleRequest, opts ...grpc.CallOption) (*AddFirewallRuleResponse, error)
+	RemoveFirewallRule(ctx context.Context, in *RemoveFirewallRuleRequest, opts ...grpc.CallOption) (*RemoveFirewallRuleResponse, error)
+	// Status
+	GetStatus(ctx context.Context, in *GetStatusRequest, opts ...grpc.CallOption) (*GetStatusResponse, error)
+}
+
+type proxyAdminClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewProxyAdminClient(cc grpc.ClientConnInterface) ProxyAdminClient {
+	return &proxyAdminClient{cc}
+}
+
+func (c *proxyAdminClient) ListRoutes(ctx context.Context, in *ListRoutesRequest, opts ...grpc.CallOption) (*ListRoutesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListRoutesResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_ListRoutes_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) AddRoute(ctx context.Context, in *AddRouteRequest, opts ...grpc.CallOption) (*AddRouteResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AddRouteResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_AddRoute_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) RemoveRoute(ctx context.Context, in *RemoveRouteRequest, opts ...grpc.CallOption) (*RemoveRouteResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RemoveRouteResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_RemoveRoute_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) GetFirewallRules(ctx context.Context, in *GetFirewallRulesRequest, opts ...grpc.CallOption) (*GetFirewallRulesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(GetFirewallRulesResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_GetFirewallRules_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) AddFirewallRule(ctx context.Context, in *AddFirewallRuleRequest, opts ...grpc.CallOption) (*AddFirewallRuleResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AddFirewallRuleResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_AddFirewallRule_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) RemoveFirewallRule(ctx context.Context, in *RemoveFirewallRuleRequest, opts ...grpc.CallOption) (*RemoveFirewallRuleResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RemoveFirewallRuleResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_RemoveFirewallRule_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyAdminClient) GetStatus(ctx context.Context, in *GetStatusRequest, opts ...grpc.CallOption) (*GetStatusResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(GetStatusResponse)
+	err := c.cc.Invoke(ctx, ProxyAdmin_GetStatus_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ProxyAdminServer is the server API for ProxyAdmin service.
+// All implementations must embed UnimplementedProxyAdminServer
+// for forward compatibility.
+type ProxyAdminServer interface {
+	// Routes
+	ListRoutes(context.Context, *ListRoutesRequest) (*ListRoutesResponse, error)
+	AddRoute(context.Context, *AddRouteRequest) (*AddRouteResponse, error)
+	RemoveRoute(context.Context, *RemoveRouteRequest) (*RemoveRouteResponse, error)
+	// Firewall
+	GetFirewallRules(context.Context, *GetFirewallRulesRequest) (*GetFirewallRulesResponse, error)
+	AddFirewallRule(context.Context, *AddFirewallRuleRequest) (*AddFirewallRuleResponse, error)
+	RemoveFirewallRule(context.Context, *RemoveFirewallRuleRequest) (*RemoveFirewallRuleResponse, error)
+	// Status
+	GetStatus(context.Context, *GetStatusRequest) (*GetStatusResponse, error)
+	mustEmbedUnimplementedProxyAdminServer()
+}
+
+// UnimplementedProxyAdminServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedProxyAdminServer struct{}
+
+func (UnimplementedProxyAdminServer) ListRoutes(context.Context, *ListRoutesRequest) (*ListRoutesResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListRoutes not implemented")
+}
+func (UnimplementedProxyAdminServer) AddRoute(context.Context, *AddRouteRequest) (*AddRouteResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method AddRoute not implemented")
+}
+func (UnimplementedProxyAdminServer) RemoveRoute(context.Context, *RemoveRouteRequest) (*RemoveRouteResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method RemoveRoute not implemented")
+}
+func (UnimplementedProxyAdminServer) GetFirewallRules(context.Context, *GetFirewallRulesRequest) (*GetFirewallRulesResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetFirewallRules not implemented")
+}
+func (UnimplementedProxyAdminServer) AddFirewallRule(context.Context, *AddFirewallRuleRequest) (*AddFirewallRuleResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method AddFirewallRule not implemented")
+}
+func (UnimplementedProxyAdminServer) RemoveFirewallRule(context.Context, *RemoveFirewallRuleRequest) (*RemoveFirewallRuleResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method RemoveFirewallRule not implemented")
+}
+func (UnimplementedProxyAdminServer) GetStatus(context.Context, *GetStatusRequest) (*GetStatusResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetStatus not implemented")
+}
+func (UnimplementedProxyAdminServer) mustEmbedUnimplementedProxyAdminServer() {}
+func (UnimplementedProxyAdminServer) testEmbeddedByValue()                    {}
+
+// UnsafeProxyAdminServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ProxyAdminServer will
+// result in compilation errors.
+type UnsafeProxyAdminServer interface {
+	mustEmbedUnimplementedProxyAdminServer()
+}
+
+func RegisterProxyAdminServer(s grpc.ServiceRegistrar, srv ProxyAdminServer) {
+	// If the following call panics, it indicates UnimplementedProxyAdminServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&ProxyAdmin_ServiceDesc, srv)
+}
+
+func _ProxyAdmin_ListRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListRoutesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).ListRoutes(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_ListRoutes_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).ListRoutes(ctx, req.(*ListRoutesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_AddRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AddRouteRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).AddRoute(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_AddRoute_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).AddRoute(ctx, req.(*AddRouteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_RemoveRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemoveRouteRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).RemoveRoute(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_RemoveRoute_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).RemoveRoute(ctx, req.(*RemoveRouteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_GetFirewallRules_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetFirewallRulesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).GetFirewallRules(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_GetFirewallRules_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).GetFirewallRules(ctx, req.(*GetFirewallRulesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_AddFirewallRule_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AddFirewallRuleRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).AddFirewallRule(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_AddFirewallRule_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).AddFirewallRule(ctx, req.(*AddFirewallRuleRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_RemoveFirewallRule_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemoveFirewallRuleRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).RemoveFirewallRule(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_RemoveFirewallRule_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).RemoveFirewallRule(ctx, req.(*RemoveFirewallRuleRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyAdmin_GetStatus_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetStatusRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyAdminServer).GetStatus(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ProxyAdmin_GetStatus_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyAdminServer).GetStatus(ctx, req.(*GetStatusRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ProxyAdmin_ServiceDesc is the grpc.ServiceDesc for ProxyAdmin service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ProxyAdmin_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "mc_proxy.v1.ProxyAdmin",
+	HandlerType: (*ProxyAdminServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ListRoutes",
+			Handler:    _ProxyAdmin_ListRoutes_Handler,
+		},
+		{
+			MethodName: "AddRoute",
+			Handler:    _ProxyAdmin_AddRoute_Handler,
+		},
+		{
+			MethodName: "RemoveRoute",
+			Handler:    _ProxyAdmin_RemoveRoute_Handler,
+		},
+		{
+			MethodName: "GetFirewallRules",
+			Handler:    _ProxyAdmin_GetFirewallRules_Handler,
+		},
+		{
+			MethodName: "AddFirewallRule",
+			Handler:    _ProxyAdmin_AddFirewallRule_Handler,
+		},
+		{
+			MethodName: "RemoveFirewallRule",
+			Handler:    _ProxyAdmin_RemoveFirewallRule_Handler,
+		},
+		{
+			MethodName: "GetStatus",
+			Handler:    _ProxyAdmin_GetStatus_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "proto/mc-proxy/v1/admin.proto",
+}

proto/mc-proxy/v1/admin.proto

@@ -0,0 +1,101 @@
+syntax = "proto3";
+
+package mc_proxy.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mc-proxy/gen/mc-proxy/v1;mcproxyv1";
+
+import "google/protobuf/timestamp.proto";
+
+service ProxyAdmin {
+  // Routes
+  rpc ListRoutes(ListRoutesRequest) returns (ListRoutesResponse);
+  rpc AddRoute(AddRouteRequest) returns (AddRouteResponse);
+  rpc RemoveRoute(RemoveRouteRequest) returns (RemoveRouteResponse);
+
+  // Firewall
+  rpc GetFirewallRules(GetFirewallRulesRequest) returns (GetFirewallRulesResponse);
+  rpc AddFirewallRule(AddFirewallRuleRequest) returns (AddFirewallRuleResponse);
+  rpc RemoveFirewallRule(RemoveFirewallRuleRequest) returns (RemoveFirewallRuleResponse);
+
+  // Status
+  rpc GetStatus(GetStatusRequest) returns (GetStatusResponse);
+}
+
+// Routes
+
+message Route {
+  string hostname = 1;
+  string backend = 2;
+}
+
+message ListRoutesRequest {
+  string listener_addr = 1;
+}
+
+message ListRoutesResponse {
+  string listener_addr = 1;
+  repeated Route routes = 2;
+}
+
+message AddRouteRequest {
+  string listener_addr = 1;
+  Route route = 2;
+}
+
+message AddRouteResponse {}
+
+message RemoveRouteRequest {
+  string listener_addr = 1;
+  string hostname = 2;
+}
+
+message RemoveRouteResponse {}
+
+// Firewall
+
+enum FirewallRuleType {
+  FIREWALL_RULE_TYPE_UNSPECIFIED = 0;
+  FIREWALL_RULE_TYPE_IP = 1;
+  FIREWALL_RULE_TYPE_CIDR = 2;
+  FIREWALL_RULE_TYPE_COUNTRY = 3;
+}
+
+message FirewallRule {
+  FirewallRuleType type = 1;
+  string value = 2;
+}
+
+message GetFirewallRulesRequest {}
+
+message GetFirewallRulesResponse {
+  repeated FirewallRule rules = 1;
+}
+
+message AddFirewallRuleRequest {
+  FirewallRule rule = 1;
+}
+
+message AddFirewallRuleResponse {}
+
+message RemoveFirewallRuleRequest {
+  FirewallRule rule = 1;
+}
+
+message RemoveFirewallRuleResponse {}
+
+// Status
+
+message ListenerStatus {
+  string addr = 1;
+  int32 route_count = 2;
+  int64 active_connections = 3;
+}
+
+message GetStatusRequest {}
+
+message GetStatusResponse {
+  string version = 1;
+  google.protobuf.Timestamp started_at = 2;
+  repeated ListenerStatus listeners = 3;
+  int64 total_connections = 4;
+}