fix(iso): add clang/libclang/nftables deps — rustables gateway feature uses bindgen

5th ISO attempt died in rustables's build.rs (which uses bindgen to
wrap libnftnl) with "couldn't find any valid shared libraries
matching: libclang". bindgen requires libclang.so at build time
to parse C headers. rustables also needs libnftnl-dev + libmnl-dev
for the actual wrappers.

Added to the fips-builder stage apt install line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

image-recipe/build-auto-installer-iso.sh

@@ -249,13 +249,16 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
 # we don't want to ship an ISO that silently skips FIPS.
 FROM rust:1-slim-bookworm AS fips-builder
 ENV DEBIAN_FRONTEND=noninteractive
-# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
-# now links against dbus + openssl (observed 2026-04-19 rebuild). The
-# .pc files need to be present at pkg-config time or the cargo build
-# panics in libdbus-sys's build.rs.
+# Build deps tracked as upstream fips adds transitive native deps:
+# - libdbus-1-dev: libdbus-sys (observed 2026-04-19 rebuild)
+# - libssl-dev: openssl dependencies
+# - libnftnl-dev, libmnl-dev, clang, libclang-dev: rustables →
+#   bindgen (the gateway feature enables rustables for nftables
+#   integration). bindgen panics without libclang.so.
 RUN apt-get update && apt-get install -y --no-install-recommends \\
     git ca-certificates build-essential pkg-config dpkg-dev \\
     libdbus-1-dev libssl-dev \\
+    clang libclang-dev libnftnl-dev libmnl-dev \\
     && rm -rf /var/lib/apt/lists/*
 RUN cargo install --locked cargo-deb
 RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips