diff --git a/docs/standalone.xml b/docs/standalone.xml
index d075d6110..daf4c28b4 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -487,6 +487,37 @@ root@lists:~#
+
+ Kernel Module Loading
+
+ Beginning in Shorewall 4.4.7,
+ /etc/shorewall/shorewall.conf contains a
+ LOAD_HELPERS_ONLY option which is set to in the
+ samples. This causes Shorewall to attempt to load the modules listed in
+ /usr/share/shorewall/helpers. In addition, it sets
+ sip_direct_media=0 when loading the
+ nf_conntrack_sip module. That setting is somewhat less secure than
+ sip_direct_media=1, but it generally
+ makes VOIP through the firewall work much better.
+
+ The modules in /usr/share/shorewall/helpers are
+ those that are not autoloaded. If your kernel does not support module
+ autoloading and you want Shorewall to attempt to load all netfilter
+ modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+ cause Shorewall to try to load the modules listed in
+ /usr/share/shorewall/modules. That file does not set
+ sip_direct_media=0.
+
+ If you need to modify either
+ /usr/share/shorewall/helpers or
+ /usr/share/shorewall/modules then copy the file to
+ /etc/shorewall and modify the copy.
+
+
+
+ Modify the setting of LOAD_HELPER_ONLY as necessary.
+
+
Enabling other Connections
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index 30d4c4b93..d46d8e04b 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -755,6 +755,37 @@ root@lists:~#
+
+ Kernel Module Loading
+
+ Beginning in Shorewall 4.4.7,
+ /etc/shorewall/shorewall.conf contains a
+ LOAD_HELPERS_ONLY option which is set to in the
+ samples. This causes Shorewall to attempt to load the modules listed in
+ /usr/share/shorewall/helpers. In addition, it sets
+ sip_direct_media=0 when loading the
+ nf_conntrack_sip module. That setting is somewhat less secure than
+ sip_direct_media=1, but it generally
+ makes VOIP through the firewall work much better.
+
+ The modules in /usr/share/shorewall/helpers are
+ those that are not autoloaded. If your kernel does not support module
+ autoloading and you want Shorewall to attempt to load all netfilter
+ modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+ cause Shorewall to try to load the modules listed in
+ /usr/share/shorewall/modules. That file does not set
+ sip_direct_media=0.
+
+ If you need to modify either
+ /usr/share/shorewall/helpers or
+ /usr/share/shorewall/modules then copy the file to
+ /etc/shorewall and modify the copy.
+
+
+
+ Modify the setting of LOAD_HELPER_ONLY as necessary.
+
+
Port Forwarding (DNAT)
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 47d4cc840..fec4aaa7f 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -707,6 +707,37 @@ root@lists:~#
+
+ Kernel Module Loading
+
+ Beginning in Shorewall 4.4.7,
+ /etc/shorewall/shorewall.conf contains a
+ LOAD_HELPERS_ONLY option which is set to in the
+ samples. This causes Shorewall to attempt to load the modules listed in
+ /usr/share/shorewall/helpers. In addition, it sets
+ sip_direct_media=0 when loading the
+ nf_conntrack_sip module. That setting is somewhat less secure than
+ sip_direct_media=1, but it generally
+ makes VOIP through the firewall work much better.
+
+ The modules in /usr/share/shorewall/helpers are
+ those that are not autoloaded. If your kernel does not support module
+ autoloading and you want Shorewall to attempt to load all netfilter
+ modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+ cause Shorewall to try to load the modules listed in
+ /usr/share/shorewall/modules. That file does not set
+ sip_direct_media=0.
+
+ If you need to modify either
+ /usr/share/shorewall/helpers or
+ /usr/share/shorewall/modules then copy the file to
+ /etc/shorewall and modify the copy.
+
+
+
+ Modify the setting of LOAD_HELPER_ONLY as necessary.
+
+
Port Forwarding (DNAT)