diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index b23bf633..735ee04d 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -249,13 +249,16 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
 # we don't want to ship an ISO that silently skips FIPS.
 FROM rust:1-slim-bookworm AS fips-builder
 ENV DEBIAN_FRONTEND=noninteractive
-# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
-# now links against dbus + openssl (observed 2026-04-19 rebuild). The
-# .pc files need to be present at pkg-config time or the cargo build
-# panics in libdbus-sys's build.rs.
+# Build deps tracked as upstream fips adds transitive native deps:
+# - libdbus-1-dev: libdbus-sys (observed 2026-04-19 rebuild)
+# - libssl-dev: openssl dependencies
+# - libnftnl-dev, libmnl-dev, clang, libclang-dev: rustables →
+#   bindgen (the gateway feature enables rustables for nftables
+#   integration). bindgen panics without libclang.so.
 RUN apt-get update && apt-get install -y --no-install-recommends \\
     git ca-certificates build-essential pkg-config dpkg-dev \\
     libdbus-1-dev libssl-dev \\
+    clang libclang-dev libnftnl-dev libmnl-dev \\
     && rm -rf /var/lib/apt/lists/*
 RUN cargo install --locked cargo-deb
 RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips