Have been tested some iptables string match rules on Linux KVM virtual machines with a bridged interface (Fedora 12 & 13 64-bit), for example a rule in the INPUT Chain that is before other port 80 rules
-m string --algo bm --icase --string "phpMyAdmin" -j LOG --log-prefix "phpmyadmin test "
However no traffic is ever logged despite the fact that various GET commands for "phpMyAdmin" are hitting the server logs.
On the other hand, if I put the same rule in the FORWARD Chain on the KVM host before the -m physdev --physdev-is-bridged -j ACCEPT rule, those GET requests are successfully logged.
Does anyone know why this might be, or could it be a bug in the virtio LAN driver for the guest machines? I understand there is a possibility that the GET request could straddle more than one packet, however I have verified with tcpdump captures that this is not the problem.
[edit] And also to mention that other rules in the INPUT Chain of guests are working as expected. Have only had problems with the string matching rules not working.
I had a similar issue with VirtualBox, string matching was not happening on the input. Later I found that the matching string has to be HTML encoded; so if you have a space you need to put the encoded HTML for space, same goes to forward slashes as well.
I suggest using tcpdump; it helped me with debugging this issue.