Ideally, Dockerd should not mess directly with iptables but instead call a wrapper which register the needed rules in an SME DB, so they can be handled in templates and persist accross masq restart/adjust. That's what I did with fail2ban for example. But I don't know if it's feasable.