Running services in docker swarm utilizes the docker swarm routing mesh which results in source nat (snat). If you need to bypass this, check out this guide.
Having upgraded docker you may come into a situation where the docker daemon itself doesn't start anymore because of an issue with firewalld.
Containers are no virtual machines - yet we might want to treat hosts running container workloads like hypervisors and apply limitations on container networking. This guide describes a way to limit container networking on docker based container hosts using firewalld.