Hello, hello!This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.Without further ado, here are the full patch notes:o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)o system: support for syncing alias and VHID to the slaveo system: cleanly rewrite CA root files and add local trusted CAs as wello system: disable backup cron job when no backup is enabledo system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)o system: migrate health graph scripts to Python 3.6o interfaces: properly add and remove IPv6 trackers after interface applyo interfaces: validate prefix ID of IPv6 trackers so that each ID is uniqueo interfaces: display "0x" in prefix ID field so that it is clear that value is in hexo interfaces: fix passing VLAN name in interface_virtual_create()o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characterso interfaces: allow link-local address on bridges via optional settingo interfaces: PPP-related code cleanupso firewall: prevent double-escaping of text in rules pageo firewall: handle IDNA encode failures in aliaseso firewall: alias import / export optiono captive portal: update to bootstrap 3.4.1o captive portal: fix a race in directory creation and listClients()o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)o dhcp: merge static mac addresses with leaseso dhcp: prevent double-escaping of text in leases pageo firmware: add private log file for major upgrade package install stepo firmware: use a safer major upgrade package install modeo firmware: retain /etc/motd on base updateso ipsec: implemented wildcard includes (contributed by Mark Plomer)o ipsec: only apply mobile PFS to mobile phase 2o ipsec: restyle mobile settings a littleo ipsec: switch XAuth to PAMo ipsec: partial fix for static routes on routed tunnels during booto network time: reload RRD since NTP has a setting for ito web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)o web proxy: switch authentication to PAMo backend: treat non existing key as empty string in sortDictList()o mvc: pluggable PAM-based authentication frameworko mvc: add filter closure to searchBase()o plugins: introduce plugins_run() for collecting structured data from pluginso plugins: os-clamav 1.6[1]o plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)o plugins: os-frr 1.10[2]o plugins: os-netdata 1.0 (contributed by Michael Muenz)o plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)o plugins: os-rfc2136 1.5 removes unused gateway group related codeo src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()o src: ensure that IP addresses match in ICMP error packets in pf(4)o src: add bsdinstall utility for upcoming 19.7 installer replacemento ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)o ports: hostapd / wpa_supplicant 2.8[3]o ports: perl 5.28.2[4]o ports: py-yaml 5.1[5]o ports: suricata 4.1.4[6]o ports: sqlite 3.27.2[7]Stay safe,Your OPNsense team--[1] https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr [2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr [3] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog [4] https://perldoc.pl/5.28.2/perldelta [5] https://github.com/yaml/pyyaml/blob/master/CHANGES [6] https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/ [7] https://www.sqlite.org/changes.html