Here are the functions I use to do this (moving back and forth between the format Qualys uses and instances of the objects provided by ipaddr:

def is_valid_ip_address(address, version=None):
    """ Check validity of address
        Return True if 'address' is a valid ipv4 or ipv6 address.
    """
    # Validate version:
    if version:
        if not isinstance(version, int):
            raise TypeError, 'Version is not of type "int"'
            return False
        if not (version == 4 or version == 6):
            raise ValueError, 'IP version is set to an invalid number: %s' % version
            return False
    try:
        ipaddr.IPAddress(address.strip(),version)
    except ValueError:
        return False
    return True

def is_valid_ipv4_address(address):
    """ Check validity of address
        Return True if 'address' is a valid ipv4 address.
    """
    return is_valid_ip_address(address,4)

def is_valid_ipv6_address(address):
    """ Check validity of address
        Return True if 'address' is a valid ipv6 address.
    """
    return is_valid_ip_address(address,6)

def is_valid_ip_range(iprange, version=None):
    """ Check validity of iprange
        Return True if 'iprange' is a range of ip addresses in a format that Qulys's API will accept (i.e. "startip-endip" where startip < endip).
    """
    # Validate version:
    if version:
        if not isinstance(version, int):
            raise TypeError, 'Version is not of type "int"'
            return False
        if not (version == 4 or version == 6):
            raise ValueError, 'IP version is set to an invalid number: %s' % version
            return False

    try:
        (start_ip,end_ip) = iprange.split('-')
        start_ip = start_ip.strip()
        end_ip = end_ip.strip()
        if ipaddr.IPAddress(start_ip) == ipaddr.IPAddress(end_ip):
            logging.debug('%s/%s-%s, Error: %s' % (package,module,version,'Start and End IP Address in an IP Range can not be the same IP Address.'))
            return False
        # A valid range requires:
        # 1) The start_ip must be a valid ip address.
        # 2) The end_ip must be a valid ip address.
        # 3) The start_ip must be less than the end_ip.
        # Although socket operations (as are used in qualysconnect.util) are nice, it's not feasible to determine that the start_ip is less than the 
        # end_ip without considerable effort.  We'll use the ipaddr.summarize_address_range function to test all three at one time.
        ipaddr.summarize_address_range(ipaddr.IPAddress(start_ip,version),ipaddr.IPAddress(end_ip,version))
    except ipaddr.AddressValueError, e:
        logging.debug('%s/%s-%s, Error: %s' % (package,module,version,e))
        return False
    except ValueError, e:
        logging.debug('%s/%s-%s, Error: %s' % (package,module,version,e))
        return False
    return True

def is_valid_ipv4_range(iprange):
    """ Check validity of iprange
        Return True if 'iprange' is a range of ipv4 addresses in a format that Qulys's API will accept (i.e. "startip-endip" where startip < endip).
    """
    return is_valid_ip_range(iprange,4)

def is_valid_ipv6_range(iprange):
    """ Check validity of iprange
        Return True if 'iprange' is a range of ipv4 addresses in a format that Qulys's API will accept (i.e. "startip-endip" where startip < endip).
    """
    return is_valid_ip_range(iprange,6)

def cidr_to_ip(cidr,version=None):
    """ Convert an ip address or ip range provided in cidr notation (either bitmask or netmask notation) to the ip address or ip range format that is
        accepted by Qualys's API. (e.g. cidr_to_ip('10.0.0.0/24') returns the string '10.0.0.0-10.0.0.255'.
        Returns a String containing an ip address or ip range that can be provided to the Qualys API. 
    """
    # Validate version:
    if version:
        if not isinstance(version, int):
            raise TypeError, 'Version is not of type "int"'
            return False
        if not (version == 4 or version == 6):
            raise ValueError, 'IP version is set to an invalid number: %s' % version
            return False
    try:
        cidr_net = ipaddr.IPNetwork(cidr,version)
    except ValueError, e:
        logging.debug('%s/%s-%s, Error: %s' % (package,module,version,e))
        raise ValueError, e
    if cidr_net[0] == cidr_net[-1]:
        return str(cidr_net[0])
    iprange = '%s-%s' % (cidr_net[0],cidr_net[-1])
    return iprange

def cidr_to_ipv4(cidr):
    """ Convert an ipv4 address or ipv4 range provided in cidr notation (either bitmask or netmask notation) to the ip address or ip range format that is
        accepted by Qualys's API. (e.g. cidr_to_ip('192.0.2.0/24') returns the string '192.0.2.0-192.0.2.255'.
        Returns a String containing an ip address or ip range that can be provided to the Qualys API. 
    """
    return cidr_to_ip(cidr,4)

def cidr_to_ipv6(cidr):
    """ Convert an ipv6 address or ipv6 range provided in cidr notation (either bitmask or netmask notation) to the ip address or ip range format that is
        accepted by Qualys's API. (e.g. cidr_to_ip('2001:db8::fff/120') returns the string '2001:db8::f00-2001:db8::fff'.
        Returns a String containing an ipv6 address or ipv6 range that can be provided to the Qualys API. 
    """
    return cidr_to_ip(cidr,4)

def decode_ip_string(ipstring):
    """ Validates ipstring is in a format that can be provided to the Qualys API, if it is not in a format that can be accepted by the Qualys API, it attempts
        to put it in a format that is acceptable (e.g. converting cidr notation to the ip range notation that Qualys expects)
        Returns a string that is valid to hand to the 'ips' key in the Qualys API.
    """
    cml=[]
    ip_list = ipstring.split(',')
    # Should probably check for any repeated or overlapping IP addresses here, but skipping for now.
    for i in ip_list:
        # This is a kludge, but I couldn't come up with a good way to make the error report the string that generated the error, rather than the
        # potentially modified version of the string that caused the error.
        new_i=i 
        if '/' in i:
            new_i = cidr_to_ip(i)
        if (is_valid_ip_address(new_i) or is_valid_ip_range(new_i)):
            cml.append(new_i)
        else:
            raise ValueError, "IP argument cannot be parsed, \'%s\' is not a valid IP Range or IP Address" % i
    return ",".join(cml)

def ip_string_to_cidr(ipstring):
    """ Accepts ipstring - a string list of IPs in the format the Qualys expects or has provided (via API calls) and returns a list of ipaddr.IPNetwork objects."""
    ret_list = []
    ip_list = ipstring.split(',')
    for i in ip_list:
        if is_valid_ip_address(i):
            ret_list.append(ipaddr.IPNetwork(i.strip()))
        elif is_valid_ip_range(i.strip()):
            (start_ip,end_ip) = i.split('-')
            range_list = ipaddr.summarize_address_range(ipaddr.IPAddress(start_ip.strip()), ipaddr.IPAddress(end_ip.strip()))
            for j in range_list:
                ret_list.append(j)
    return ipaddr.collapse_address_list(ret_list)

def ip_list_to_ip_string(iplist):       
    return decode_ip_string(",".join([decode_ip_string(str(i)) for i in iplist]))

For your specific examples, I would use the functions above and the ‘exclude_address’ method in instances of ipaddr.IPNetwork objects to write a new function that accepts the original_range and subtract_range inputs, returning a list of ipaddr objects (or an ip_string in Qualys’s expected format usingthe ip_list_to_ip_string function above). The only tricky part will be that when you run ‘ip_string_to_cidr(exclude_list)’ you’ll receive a list of IPNetwork objects that need to be subtracted from ‘original_range’.

If you need more help, I can probably throw together some kind of exclude_ips function, as I’ll need it at some point, just let me know.