Daemon config - Changing to userland-proxy: true does not undo route_localnet=1

[polarathene]

Description

Niche bug (Discovered while looking into userland-proxy setting differences):

• When changing to userland-proxy: false, docker networks will enable sysctl net.ipv4.conf.$iface.route_localnet=1.
• When changing to userland-proxy: true, this is not reverted until restart of the host?

Effectively the same behaviour as previously reported with IPTables NAT rules.

• May be due to assuming userland-proxy: true should not tamper with the setting if it's enabled.
• Whereas for userland-proxy: false it's required to be enabled for localhost:port routing to containers.

Reproduce

# `userland-proxy: true` (default):
$ sysctl net.ipv4.conf.docker0.route_localnet
0

# Change to false:
$ echo '{ "userland-proxy": false }' > /etc/docker/daemon.json
$ systemctl restart docker
$ sysctl net.ipv4.conf.docker0.route_localnet
1

# Back to true:
$ echo '{ "userland-proxy": true }' > /etc/docker/daemon.json
$ systemctl restart docker
# Inconsistent (reboot and will be set to 0 again):
$ sysctl net.ipv4.conf.docker0.route_localnet
1

Expected behavior

If Docker set route_localnet, it should unset it when userland-proxy changes to true.

Unless as a precaution route_localnet is not disabled. This is not documented however, and may result in unexpected behaviour.

docker version

Client: Docker Engine - Community
 Version:           24.0.0
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        98fdcd7
 Built:             Mon May 15 18:50:53 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.0
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       1331b8c
  Built:            Mon May 15 18:49:18 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    24.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 24.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.2.13-300.fc38.x86_64
 Operating System: Fedora Linux 38 (Server Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 947.4MiB
 Name: docker-bug
 ID: 82686560-5a98-48ec-afc1-897fca11bdfe
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response