4 files changed, 41 insertions, 1 deletions

diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2
index 66024869d..808a77759 100644
--- a/data/templates/conntrackd/conntrackd.conf.j2
+++ b/data/templates/conntrackd/conntrackd.conf.j2
@@ -9,7 +9,9 @@ Sync {
 {%     if iface_config.peer is vyos_defined %}
     UDP {
 {%         if listen_address is vyos_defined %}
-        IPv4_address {{ listen_address }}
+{%             for address in listen_address %}
+        IPv4_address {{ address }}
+{%             endfor %}
 {%         endif %}
         IPv4_Destination_Address {{ iface_config.peer }}
         Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index e7dbca581..79b07478b 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -96,3 +96,7 @@ DenyGroups {{ access_control.deny.group | join(' ') }}
 # sshd(8) will send a message through the encrypted channel to request a response from the client
 ClientAliveInterval {{ client_keepalive_interval }}
 {% endif %}
+
+{% if rekey.data is vyos_defined  %}
+RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
+{% endif %}
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index 126183162..f3c731fe5 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -206,6 +206,37 @@
             </properties>
             <defaultValue>22</defaultValue>
           </leafNode>
+          <node name="rekey">
+            <properties>
+              <help>SSH session rekey limit</help>
+            </properties>
+            <children>
+              <leafNode name="data">
+                <properties>
+                  <help>Threshold data in megabytes</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Megabytes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="time">
+                <properties>
+                  <help>Threshold time in minutes</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Minutes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <leafNode name="client-keepalive-interval">
             <properties>
               <help>Enable transmission of keepalives from server to client</help>
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 2bbd7142a..8746cc701 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -73,6 +73,9 @@ def verify(ssh):
     if not ssh:
         return None
 
+    if 'rekey' in ssh and 'data' not in ssh['rekey']:
+        raise ConfigError(f'Rekey data is required!')
+
     verify_vrf(ssh)
     return None