From 4c57bceec07139dafc2a9d1f9e283e1df1846a06 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 15 Feb 2026 10:28:48 +0000
Subject: [PATCH 2/4] ci: add riscv64 target and size-focused build flags

Co-authored-by: vemneyy <78843201+vemneyy@users.noreply.github.com>
---
 .github/workflows/build.yml | 19 +++++++++++++------
 install_bin.sh              |  2 +-
 nfq/BSDmakefile             |  4 +++-
 nfq/Makefile                |  4 +++-
 nfq/sec.h                   |  7 +++++++
 tpws/sec.h                  |  7 +++++++
 6 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d474aafe..26ec2915 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -52,6 +52,8 @@ jobs:
             tool: i586-unknown-linux-musl
           - arch: x86_64
             tool: x86_64-unknown-linux-musl
+          - arch: riscv64
+            tool: riscv64-unknown-linux-musl
           - arch: lexra
             tool: mips-linux
             dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001
@@ -69,7 +71,7 @@ jobs:
         env:
           ARCH: ${{ matrix.arch }}
           TOOL: ${{ matrix.tool }}
-          REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }}
+          REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'bol-van/musl-cross' }}
           DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }}
         run: |
           if [[ "$ARCH" == lexra ]]; then
@@ -93,6 +95,8 @@ jobs:
           CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }}
           LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MINSIZE: -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables
+          LDMINSIZE: -Wl,--gc-sections
         run: |
           DEPS_DIR=$GITHUB_WORKSPACE/deps
           export CC="$TARGET-gcc"
@@ -111,7 +115,8 @@ jobs:
           for i in libmnl libnfnetlink libnetfilter_queue ; do
             (
               cd $i-*
-              CFLAGS="-Os -flto=auto $CFLAGS" \
+              CFLAGS="-Os -flto=auto $MINSIZE $CFLAGS" \
+              LDFLAGS="$LDMINSIZE $LDFLAGS" \
               ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
               make install -j$(nproc) DESTDIR=$DEPS_DIR
             )
@@ -123,7 +128,8 @@ jobs:
             xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
           (
             cd zlib-*
-            CFLAGS="-Os -flto=auto $CFLAGS" \
+            CFLAGS="-Os -flto=auto $MINSIZE $CFLAGS" \
+            LDFLAGS="$LDMINSIZE $LDFLAGS" \
             ./configure --prefix= --static
             make install -j$(nproc) DESTDIR=$DEPS_DIR
           )
@@ -134,8 +140,8 @@ jobs:
           install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
 
           # zapret
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
-          LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $MINSIZE $CFLAGS" \
+          LDFLAGS="-L$DEPS_DIR/lib $LDMINSIZE $LDFLAGS" \
           make -C zapret -j$(nproc)
           tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .
 
@@ -419,7 +425,7 @@ jobs:
                   if [[ $dir == *-linux-x86_64 ]]; then
                     tar -C $dir -czvf $dir/tpws_wsl.tgz tpws
                     run_upx $dir/*
-                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
+                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]] && [[ $dir != *-linux-riscv64 ]]; then
                     run_upx $dir/*
                   fi
                   ;;
@@ -448,6 +454,7 @@ jobs:
                 *-linux-mipselsf )      run_dir linux-mipsel ;;
                 *-linux-mipssf )        run_dir linux-mips ;;
                 *-linux-ppc )           run_dir linux-ppc ;;
+                *-linux-riscv64 )       run_dir linux-riscv64 ;;
                 *-linux-x86 )           run_dir linux-x86 ;;
                 *-linux-x86_64 )        run_dir linux-x86_64 ;;
                 *-linux-lexra )         run_dir linux-lexra ;;
diff --git a/install_bin.sh b/install_bin.sh
index 4afa50bd..5b9d86e7 100755
--- a/install_bin.sh
+++ b/install_bin.sh
@@ -165,7 +165,7 @@ fi
 unset PKTWS
 case $UNAME in
 	Linux)
-		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel linux-mips linux-lexra linux-ppc"
+		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel linux-mips linux-lexra linux-ppc linux-riscv64"
 		PKTWS=nfqws
 		;;
 	Darwin)
diff --git a/nfq/BSDmakefile b/nfq/BSDmakefile
index f21d1180..b65d0a64 100644
--- a/nfq/BSDmakefile
+++ b/nfq/BSDmakefile
@@ -1,6 +1,8 @@
 CC ?= cc
 OPTIMIZE ?= -Os
-CFLAGS += -std=gnu99 -s $(OPTIMIZE) -flto=auto -Wno-address-of-packed-member
+MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables
+CFLAGS += -std=gnu99 -s $(OPTIMIZE) $(MINSIZE) -Wno-address-of-packed-member
+LDFLAGS += -Wl,--gc-sections
 LIBS = -lz
 SRC_FILES = *.c crypto/*.c
 
diff --git a/nfq/Makefile b/nfq/Makefile
index 97cf6bba..f3ec3338 100644
--- a/nfq/Makefile
+++ b/nfq/Makefile
@@ -1,9 +1,11 @@
 CC ?= cc
 OPTIMIZE ?= -Os
-CFLAGS += -std=gnu99 $(OPTIMIZE) -flto=auto
+MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables
+CFLAGS += -std=gnu99 $(OPTIMIZE) $(MINSIZE)
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
+LDFLAGS += -Wl,--gc-sections
 LDFLAGS_ANDROID = -llog
 LIBS_LINUX = -lz -lnetfilter_queue -lnfnetlink -lmnl
 LIBS_SYSTEMD = -lsystemd
diff --git a/nfq/sec.h b/nfq/sec.h
index 621eaddc..d2ba0003 100644
--- a/nfq/sec.h
+++ b/nfq/sec.h
@@ -18,6 +18,13 @@ bool dropcaps(void);
 #define arch_nr (offsetof(struct seccomp_data, arch))
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
+#ifndef AUDIT_ARCH_RISCV64
+#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
+#endif
+#ifndef EM_RISCV
+#define EM_RISCV 243
+#endif
+
 #if defined(__aarch64__)
 
 # define ARCH_NR	AUDIT_ARCH_AARCH64
diff --git a/tpws/sec.h b/tpws/sec.h
index c75ad4bb..ff556b64 100644
--- a/tpws/sec.h
+++ b/tpws/sec.h
@@ -20,6 +20,13 @@ bool dropcaps(void);
 #define arch_nr (offsetof(struct seccomp_data, arch))
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
+#ifndef AUDIT_ARCH_RISCV64
+#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
+#endif
+#ifndef EM_RISCV
+#define EM_RISCV 243
+#endif
+
 #if defined(__aarch64__)
 
 # define ARCH_NR	AUDIT_ARCH_AARCH64

From 6f8244279c1eb560b01c61f7c26aa579b3ca16cc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 15 Feb 2026 10:30:26 +0000
Subject: [PATCH 3/4] fix: reorder riscv seccomp fallback defines

Co-authored-by: vemneyy <78843201+vemneyy@users.noreply.github.com>
---
 _codeql_detected_source_root | 1 +
 nfq/sec.h                    | 6 +++---
 tpws/sec.h                   | 6 +++---
 3 files changed, 7 insertions(+), 6 deletions(-)
 create mode 120000 _codeql_detected_source_root

diff --git a/_codeql_detected_source_root b/_codeql_detected_source_root
new file mode 120000
index 00000000..945c9b46
--- /dev/null
+++ b/_codeql_detected_source_root
@@ -0,0 +1 @@
+.
\ No newline at end of file
diff --git a/nfq/sec.h b/nfq/sec.h
index d2ba0003..27b09dd2 100644
--- a/nfq/sec.h
+++ b/nfq/sec.h
@@ -18,12 +18,12 @@ bool dropcaps(void);
 #define arch_nr (offsetof(struct seccomp_data, arch))
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
-#ifndef AUDIT_ARCH_RISCV64
-#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
-#endif
 #ifndef EM_RISCV
 #define EM_RISCV 243
 #endif
+#ifndef AUDIT_ARCH_RISCV64
+#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
+#endif
 
 #if defined(__aarch64__)
 
diff --git a/tpws/sec.h b/tpws/sec.h
index ff556b64..77d7fd29 100644
--- a/tpws/sec.h
+++ b/tpws/sec.h
@@ -20,12 +20,12 @@ bool dropcaps(void);
 #define arch_nr (offsetof(struct seccomp_data, arch))
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
-#ifndef AUDIT_ARCH_RISCV64
-#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
-#endif
 #ifndef EM_RISCV
 #define EM_RISCV 243
 #endif
+#ifndef AUDIT_ARCH_RISCV64
+#define AUDIT_ARCH_RISCV64 (EM_RISCV | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
+#endif
 
 #if defined(__aarch64__)
 

From 0436574dc0e1c583861ff9af9a292bcc76aaf41b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 15 Feb 2026 10:30:35 +0000
Subject: [PATCH 4/4] chore: remove unintended codeql artifact symlink

Co-authored-by: vemneyy <78843201+vemneyy@users.noreply.github.com>
---
 _codeql_detected_source_root | 1 -
 1 file changed, 1 deletion(-)
 delete mode 120000 _codeql_detected_source_root

diff --git a/_codeql_detected_source_root b/_codeql_detected_source_root
deleted file mode 120000
index 945c9b46..00000000
--- a/_codeql_detected_source_root
+++ /dev/null
@@ -1 +0,0 @@
-.
\ No newline at end of file