idempotent nft delete table? (or: why does "flush table" delete rules but keep chains?)

[trentbuck@gmail.com (Trent W. Buck)]

A typical ruleset looks like

    flush ruleset
    table filter { ... }

That works fine until I have several partial rulesets (e.g. the
sysadmin, libvirtd, and sshguard) that manage their own tables in
parallel, e.g.

    foo.nft:
        flush ruleset
        table foo { ... }

    bar.nft:
        flush ruleset
        table bar { ... }

If I reload either file, both tables are removed, and only one table is
readded.

The obvious thing to try is this:

        flush table foo
        table foo { ... }

However this doesn't flush the chains, only the rules.
So if you make an edit like this:

         flush table foo
         table x {
       -   chain y {
       +   chain z {
             type filter hook input priority filter; policy drop
             tcp dport ssh accept
             }
         }

What you end up with is a ruleset that looks like this:

       table x {
           chain y {
               type filter hook input priority filter; policy drop;
           }
           chain z {
               type filter hook input priority filter; policy drop;
               tcp dport ssh accept
           }
       }

...and your SSH stops working.

I also considered this, but it will error out if the table doesn't exist yet:

        flush table foo
        table foo { ... }

I suppose I could use add table (which is idempotent) and then delete
table (which isn't), so ending up with

        table foo
        flush table foo
        table foo { ... }

Is this sensible?  Have I missed something obvious?

PS: I think the way normal people handle this is with a middleware layer
like firewalld (Fedora) or ufw (Ubuntu), but those are a bit too
heavyweight for my taste.