Rootless docker cannot start containers bound to different IPs but the same port

[F13]

Description

This is a re-submission of the bug submitted here: docker/compose#11169.

The summary is that on a host with multiple IP addresses, I cannot assign two containers to the same port, even if I use separate IPs.

I'd like to be able to have separate infrastructure on a single host. In this case, I have a LAN interface and a DMZ interface, and I would like to be able to have a separate reverse proxy container for each.

Reproduce

1. docker run -p 192.168.1.9:80:80 nginx
2. docker run -p 192.168.255.2:80:80 nginx
3. Observe that step 2 fails with docker: Error response from daemon: driver failed programming external connectivity on endpoint: Timed out proxy starting the userland proxy.

Expected behavior

Docker should bind the container to the given port on the given interface.

docker version

Client:
 Version:           26.1.1
 API version:       1.45
 Go version:        go1.22.2
 Git commit:        4cf5afaefa
 Built:             Mon May  6 15:39:43 2024
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          26.0.1
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.22.2
  Git commit:       60b9add796
  Built:            Fri Apr 12 06:20:40 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.15
  GitCommit:        926c9586fe4a6236699318391cd44976a98e31f1.m
 runc:
  Version:          1.1.12
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
 rootlesskit:
  Version:          2.1.0
  ApiVersion:       1.1.1
  NetworkDriver:    slirp4netns
  PortDriver:       builtin
  StateDir:         /run/user/969/dockerd-rootless
 slirp4netns:
  Version:          1.3.0
  GitCommit:        8a4d4391842f00b9c940bb8f067964427eb0c964

docker info

[docker@COLOSSUS ~]$ docker info
Client:
 Version:    26.1.1
 Context:    default
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc.)
    Version:  2.27.0
    Path:     /usr/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 27
  Running: 6
  Paused: 0
  Stopped: 21
 Images: 17
 Server Version: 26.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 926c9586fe4a6236699318391cd44976a98e31f1.m
 runc version: 
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.6.28-1-lts
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 24
 Total Memory: 251.8GiB
 Name: COLOSSUS
 ID: 3a60985c-2e65-4a44-aac6-8d84b46d02fa
 Docker Root Dir: /home/docker/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional Info

No response