diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index af3c91e..449e27b 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -3,6 +3,11 @@ name: Build
 on:
   push:
     branches: main
+  pull_request:
+    branches: main
+
+env:
+  USER: root
 
 jobs:
   build:
@@ -11,18 +16,23 @@ jobs:
       - uses: actions/checkout@v3
       - run: sudo apt-get update
       - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y
+      - run: sudo mkdir -p /nix && sudo chown -R "$(id -u):$(id -g)" /nix
       - uses: cachix/install-nix-action@v27
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
           extra_nix_config: |
             max-jobs = 8
             cores = 8
-      - uses: nix-community/cache-nix-action@v5
+      # install-nix-action writes /etc/nix/nix.conf as root; loosen perms so
+      # the runner user (used by cachix-action) can append substituter lines.
+      - run: sudo chmod 666 /etc/nix/nix.conf
+      - uses: cachix/cachix-action@v17
         with:
-          primary-key: ${{ runner.os }}-nix-store
+          name: rehosting
+          authToken: ${{ secrets.CACHIX_REHOSTING }}
       - uses: DeterminateSystems/flake-checker-action@main
       - run: nix flake check
-      - run: nix build
+      - run: nix build -L
       - run: tar -chzvf hyperfs.tar.gz result
       - uses: reecetech/version-increment@2023.10.1
         id: version
@@ -30,6 +40,7 @@ jobs:
           use_api: true
 
       - name: Create release
+        if: github.event_name == 'push'
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -42,6 +53,7 @@ jobs:
           prerelease: false
 
       - name: Upload release asset
+        if: github.event_name == 'push'
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -52,6 +64,7 @@ jobs:
           asset_content_type: application/gzip
 
       - name: Publish release
+        if: github.event_name == 'push'
         uses: StuYarrow/publish-release@v1.1.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix
index 10d546a..6a8a829 100644
--- a/src/cross-overlays.nix
+++ b/src/cross-overlays.nix
@@ -22,10 +22,24 @@
     p11-kit = super.p11-kit.overrideAttrs { doCheck = false; };
   })
 
-  # GnuTLS' docs build runs generated target binaries such as lt-errcodes.
+  # OpenSSL's 04-test_bio_dgram.t fails in restricted CI sandboxes that lack
+  # proper DGRAM/IPv6 loopback.  Skip the test phase rather than carry an
+  # upstream-specific patch.
+  (self: super: {
+    openssl = super.openssl.overrideAttrs { doCheck = false; };
+  })
+
+  # GnuTLS' docs build runs generated target binaries such as lt-errcodes,
+  # which fails when cross-compiling.  Disable the build and also drop the
+  # devdoc/man outputs, otherwise nix fails with "failed to produce output
+  # path for output 'devdoc'" / "'man'" since the directories are never
+  # created.
   (self: super: {
     gnutls = super.gnutls.overrideAttrs (o: {
       configureFlags = (o.configureFlags or [ ]) ++ [ "--disable-doc" ];
+      outputs = builtins.filter
+        (x: !(builtins.elem x [ "devdoc" "man" ]))
+        (o.outputs or [ "out" ]);
     });
   })
 
@@ -37,9 +51,15 @@
     });
   })
 
-  # Disable unused and/or broken-on-some-platforms elfutils features
+  # Disable unused and/or broken-on-some-platforms elfutils features, and
+  # ensure pkg-config is available at build time.  Must use
+  # buildPackages.pkg-config (the build-host variant) rather than
+  # self.pkg-config — the latter is the cross/target pkg-config and the
+  # build sandbox can't execute it.
   (self: super: {
-    elfutils = super.elfutils.override { enableDebuginfod = false; };
+    elfutils = (super.elfutils.override { enableDebuginfod = false; }).overrideAttrs (o: {
+      nativeBuildInputs = (o.nativeBuildInputs or [ ]) ++ [ self.buildPackages.pkg-config ];
+    });
   })
 
 ]
diff --git a/src/pkgs/iptables-legacy.nix b/src/pkgs/iptables-legacy.nix
new file mode 100644
index 0000000..72164ff
--- /dev/null
+++ b/src/pkgs/iptables-legacy.nix
@@ -0,0 +1,8 @@
+pkgs:
+
+# In modern nixpkgs, the plain "iptables" symlink points to the NFT backend,
+# so we must explicitly request "iptables-legacy" (→ xtables-legacy-multi).
+pkgs.iptables // {
+  iglooName = "iptables-legacy";
+  meta = pkgs.iptables.meta // { mainProgram = "iptables-legacy"; };
+}
diff --git a/src/pkgs/iptables-nft.nix b/src/pkgs/iptables-nft.nix
new file mode 100644
index 0000000..b5965ad
--- /dev/null
+++ b/src/pkgs/iptables-nft.nix
@@ -0,0 +1,8 @@
+pkgs:
+
+# xtables-nft-multi is the multi-call binary for the nf_tables frontend.
+# Override mainProgram so getExe resolves to the nft variant's symlink.
+pkgs.iptables // {
+  iglooName = "iptables-nft";
+  meta = pkgs.iptables.meta // { mainProgram = "iptables-nft"; };
+}