> Because if one of those iptables fails above you're in an inconsistent state.

These days iptables is a legacy interface implemented on top of nftables. And nftables does provide atomic rule replacement: https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rul...

So you would have a file with something like:

    table inet filter {
       chain input {
           tcp dport 8080 accept
       }

    }

    $ nft -f input_file