diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index 94dd32b90fa..77c4bd3eeaa 100644
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -444,7 +444,11 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         if not rule['protocol']:
             raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
         ip_proto = self._get_ip_proto_number(rule['protocol'])
-        if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
+        # Not all firewall_driver support all these protocols,
+        # but being strict here doesn't hurt.
+        if ip_proto in [constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
+                        constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
+                        constants.PROTO_NUM_UDPLITE]:
             if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
                 raise ext_sg.SecurityGroupInvalidPortValue(port=0)
             elif (rule['port_range_min'] is not None and
diff --git a/neutron/tests/unit/db/test_securitygroups_db.py b/neutron/tests/unit/db/test_securitygroups_db.py
index 85c52094acb..ccbf5741a24 100644
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@@ -440,3 +440,20 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
                     {'port_range_min': pmin,
                      'port_range_max': pmax,
                      'protocol': protocol})
+
+    def test__validate_port_range_exception(self):
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortValue,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 0,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_TCP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_SCTP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1000,
+                           'port_range_max': 1,
+                           'protocol': constants.PROTO_NAME_UDPLITE})
diff --git a/releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml b/releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml
new file mode 100644
index 00000000000..9277998e074
--- /dev/null
+++ b/releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - In security group rules API, API level validation for port_range values
+    has been performed only against TCP and UDP. Now it is performed
+    against DCCP, SCTP and UDP-Lite, too.