Can the legacy --link --icc=false be implemented with the new docker network API?

We want to solve the following scenario with docker:

We have one container (server) which has access the local network and the internet. The second container (worker) should connect to the first container and the internet, but any connection to the local network must be restricted. Furthermore, we want to create multiple such peers of containers on the same machine, where always one worker is linked to one server. Is it possible to implement this with the new network api of docker?

Currently we use one user-defined bridge network over which the first container can access the local network and the internet. Furthermore, we employ the legacy “bridge” network in order to link the worker to the server. However, we still have some issues to handle port exposing, container discovery and access restriction. And since the bridge network is marked as a legacy solution we want to switch to the new network api.

Any help is highly appreciated.