What is the purpose of -m, --match in an Iptables rule?

Question

Many Iptables rules contain this -m or --match option, for example

-I INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

Is this -m or --match simply "special" option which is a precursor to an "normal" option?
for example, with this rule

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

Does the term -m tcp say to Iptables, the next option that follows will be intended for the tcp module - then the --tcp-flags FIN,SYN,RST,ACK SYN term will be interpreted in that context?
To put it another way, would the option -m tcp be meaningless if it was specified by itself inside an Iptables rule?

Answer 1

The -m or --match option is used to enable one or more extended packet matching modules with the given name(s). Take for example the module connbytes. This can be used to create rules that match how many bytes a connection has transferred.

The man page for iptables gives a good description of this:

iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module.

I would highly recommend reading through the iptables-extensions man page, which documents the modules included in the standard distribution of iptables:

$ man iptables-extensions