NGFW-15626: Add Bookworm kernel 6.1.159 build support

Jenkinsfile

@@ -1,6 +1,6 @@
-def architectures = ['amd64', 'arm64']
+def architectures = (env.ARCHITECTURES ?: 'amd64').split(',') as List
 
-def repositories = ['bullseye']
+def repositories = (env.REPOSITORIES ?: 'bullseye').split(',') as List
 
 def jobs = [:] // dynamically populated later on
 
@@ -19,6 +19,12 @@ void buildKernel(String repository, String architecture, String upload, String b
 pipeline {
   agent none
 
+  parameters {
+    string(name: 'REPOSITORIES', defaultValue: 'bullseye', description: 'Comma-separated list of repositories to build (e.g. bullseye, bookworm, bullseye,bookworm)')
+    string(name: 'ARCHITECTURES', defaultValue: 'amd64', description: 'Comma-separated list of architectures to build (e.g. amd64, arm64, amd64,arm64)')
+    string(name: 'NODE_LABEL', defaultValue: 'docker', description: 'Jenkins node label to run builds on (e.g. docker, aws-build-03)')
+  }
+
   stages {
     stage('Build') {
       steps {
@@ -30,7 +36,7 @@ pipeline {
 	      def name = "${arch}/${repo}"
 
               jobs[name] = {
-                node('docker') {
+                node(env.NODE_LABEL ?: 'docker') {
 		  stage(name) {
                     def upload = "scp"
                     def buildDir = "${env.HOME}/build-ngfw_kernels-${env.BRANCH_NAME}-${arch}-${env.BUILD_NUMBER}"

build-order.txt

@@ -1,2 +1,3 @@
 debian-4.19.0/linux-4.19.146 buster
 debian-5.10.0/linux-5.10.205 bullseye
+debian-6.1.159/linux-6.1.159 bookworm

debian-6.1.159/.gitignore

@@ -0,0 +1,8 @@
+linux-*
+*.deb
+*.udeb
+*.tar.xz
+*.buildinfo
+*.upload
+*.changes
+*stamp

debian-6.1.159/Makefile

@@ -0,0 +1,120 @@
+# Generic Makefile for building an Untangle kernel based on a Debian one
+#
+# Nothing should have to change in this file; instead,
+# version-specific settings and variables can be defined in
+# kernel.conf
+
+include $(shell dirname $(MAKEFILE_LIST))/kernel.conf
+
+UNTANGLE_MIRROR := https://downloads.edge.arista.com/public/kernels
+DEBIAN_MIRROR := https://deb.debian.org/debian/pool/main/l/linux
+DEBIAN_SECURITY_MIRROR := https://deb.debian.org/debian-security/pool/updates/main/l/linux
+
+ORIG_TARBALL := linux_$(UPSTREAM_VERSION).orig.tar.xz
+DEBIAN_TARBALL := linux_$(UPSTREAM_VERSION)-$(DEBIAN_VERSION).debian.tar.xz
+KDSC := linux_$(UPSTREAM_VERSION)-$(DEBIAN_VERSION).dsc
+UNTANGLE_PATCH_SERIES := patches/untangle/series
+DEBIAN_PATCH_SERIES := patches/debian/series
+
+KERNEL_DIR := linux-$(UPSTREAM_VERSION)
+UNTANGLE_BUILD_PROFILES_FILE=$(KERNEL_DIR)/debian/untangle-build-profiles
+
+ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
+
+ifeq ($(ARCH),armhf)
+  PARALLEL_JOBS ?= 1
+else
+  PARALLEL_JOBS ?= $(shell echo "$$((1+`nproc`))")
+endif
+
+export CONCURRENCY_LEVEL=$(PARALLEL_JOBS)
+export DEBIAN_KERNEL_JOBS=$(PARALLEL_JOBS)
+export DEB_BUILD_OPTIONS="parallel=$(PARALLEL_JOBS)"
+export AUTOBUILD=1
+
+all:	clean pkgs
+
+download: $(KDSC) $(ORIG_TARBALL) $(DEBIAN_TARBALL)
+$(KDSC):
+	curl -f -O $(UNTANGLE_MIRROR)/$(KDSC) 2>/dev/null || \
+	curl -f -O $(DEBIAN_SECURITY_MIRROR)/$(KDSC) 2>/dev/null || \
+	curl -f -O $(DEBIAN_MIRROR)/$(KDSC)
+$(ORIG_TARBALL):
+	curl -f -O $(UNTANGLE_MIRROR)/$(ORIG_TARBALL) 2>/dev/null || \
+	curl -f -O $(DEBIAN_SECURITY_MIRROR)/$(ORIG_TARBALL) 2>/dev/null || \
+	curl -f -O $(DEBIAN_MIRROR)/$(ORIG_TARBALL)
+$(DEBIAN_TARBALL):
+	curl -f -O $(UNTANGLE_MIRROR)/$(DEBIAN_TARBALL) 2>/dev/null || \
+	curl -f -O $(DEBIAN_SECURITY_MIRROR)/$(DEBIAN_TARBALL) 2>/dev/null || \
+	curl -f -O $(DEBIAN_MIRROR)/$(DEBIAN_TARBALL)
+
+extract: extract-stamp
+extract-stamp: $(KDSC) $(ORIG_TARBALL) $(DEBIAN_TARBALL)
+	dpkg-source -x $(KDSC)
+	touch $@
+
+patch-debian: patch-debian-stamp
+patch-debian-stamp: extract-stamp patches/debian/*
+	while read patch ; do \
+	  echo "Applying $$patch" ; \
+	  patch -d $(KERNEL_DIR) -p1 < patches/debian/$$patch || exit 1 ; \
+	done < $(DEBIAN_PATCH_SERIES)
+	touch $@
+
+patch-untangle: patch-untangle-stamp
+patch-untangle-stamp: extract-stamp patches/untangle/*
+	mkdir -p $(KERNEL_DIR)/debian/patches-untangle
+	cp patches/untangle/* $(KERNEL_DIR)/debian/patches-untangle
+	touch $@
+
+version: version-stamp
+version-stamp: changelog
+	cat  changelog $(KERNEL_DIR)/debian/changelog > /tmp/changelog
+	mv /tmp/changelog $(KERNEL_DIR)/debian/changelog
+	touch $@
+
+patch: patch-debian patch-untangle version
+
+pkgs:	kpkg-arch kpkg-indep
+
+deps:	force control-real
+	cd $(KERNEL_DIR) ; apt build-dep -y --build-profiles $(shell cat debian/untangle-build-profiles) --host-architecture $(ARCH) .
+
+kpkg-arch: control-real force
+	DEB_BUILD_PROFILES="$(shell sed -e 's/,/ /g' $(UNTANGLE_BUILD_PROFILES_FILE))" fakeroot make -C $(KERNEL_DIR) -j $(PARALLEL_JOBS) -f debian/rules.gen binary-arch_$(ARCH)_untangle
+kpkg-indep: control-real force
+	DEB_BUILD_PROFILES="$(shell sed -e 's/,/ /g' $(UNTANGLE_BUILD_PROFILES_FILE))" fakeroot make -C $(KERNEL_DIR) -j $(PARALLEL_JOBS) -f debian/rules binary-indep
+
+kern:   ${KERNEL_DIR} kpkg-arch
+
+src: 	${KERNEL_DIR} control-real force
+	DEB_BUILD_PROFILES="$(shell sed -e 's/,/ /g' $(UNTANGLE_BUILD_PROFILES_FILE))" fakeroot make -C $(KERNEL_DIR) -f debian/rules.gen source_untangle setup_$(ARCH)_untangle
+
+control-real: ${KERNEL_DIR}/debian/control-real
+${KERNEL_DIR}/debian/control-real: force patch
+	which kernel-wedge || apt install -y kernel-wedge
+	python3 -c 'import jinja2' 2>/dev/null || apt install -y python3-jinja2
+	# do not build -dbg images
+	# FIXME: this should be a proper patch in patches/debian, so
+	# we're warned early on when we bump versions and the syntax
+	# has changed
+	perl -i -pe 's/debug-info:.*/debug-info: false/' $(KERNEL_DIR)/debian/config/*/defines $(KERNEL_DIR)/debian/config/defines
+	# do not sign images
+	# FIXME: this should be a proper patch in patches/debian, so
+	# we're warned early on when we bump versions and the syntax
+	# has changed
+	perl -i -pe 's/signed-code:.*/signed-code: false/' $(KERNEL_DIR)/debian/config/*/defines $(KERNEL_DIR)/debian/config/defines
+	# clear trusted-certs to avoid needing Debian UEFI certs during build
+	# In Bookworm, SYSTEM_TRUSTED_KEYS is set via KCONFIG_OPTIONS from
+	# the trusted-certs defines setting rather than in the config file
+	perl -i -pe 's/^trusted-certs:.*/trusted-certs:/' $(KERNEL_DIR)/debian/config/defines
+	cd ${KERNEL_DIR};make -f debian/rules debian/control-real || true
+	# # limit the arch-dep target to untangle kernels
+	# perl -i -pe 's/(binary-arch_.*)/$$1_untangle/' $(KERNEL_DIR)/debian/rules
+
+clean::
+	rm -rf ${KERNEL_DIR} *stamp
+	rm -f *.deb modules/*.deb
+	rm -f *.udeb modules/*.udeb
+
+force:

debian-6.1.159/changelog

@@ -0,0 +1,11 @@
+linux (6.1.159-1+untangle1bookworm) current; urgency=medium
+
+  * Initial Bookworm kernel with Untangle patches
+  * Port bridge MAC ageing fix to 6.1.159
+  * Port extensions patch (IP_SADDR, IP_SENDNFMARK) to 6.1.159
+  * Port IPsec policy bypass to 6.1.159
+  * Port socket mark restoration to 6.1.159
+  * Port MAC byte matching support to 6.1.159
+
+ -- Rohit Singh <rohit@arista.com>  Mon, 17 Feb 2026 12:00:00 +0530
+

debian-6.1.159/kernel.conf

@@ -0,0 +1,11 @@
+#########################################
+## kernel conf for bookworm's 6.1 kernel
+
+# upstream version
+UPSTREAM_VERSION = 6.1.159
+
+# debian version
+DEBIAN_VERSION = 1
+
+# repository
+REPOSITORY = bookworm