amend to #2791: unban subnet when subnet is in supplied subnet

fail2ban/server/actions.py

@@ -277,11 +277,7 @@ class Actions(JailThread, Mapping):
 			if not isinstance(ip, IPAddr):
 				ipa = IPAddr(ip)
 				if not ipa.isSingle: # subnet (mask/cidr) or raw (may be dns/hostname):
-					ips = filter(
+					ips = filter(ipa.contains, self.__banManager.getBanList())
-						lambda i: (
-							isinstance(i, IPAddr) and (i == ipa or i.isSingle and i.isInNet(ipa))
-						), self.__banManager.getBanList()
-					)
 					if ips:
 						return self.removeBannedIP(ips, db, ifexists)
 			# not found:

fail2ban/server/ipdns.py

@@ -517,6 +517,11 @@ class IPAddr(object):
 		
 		return (self.addr & mask) == net.addr
 
+	def contains(self, ip):
+		"""Return whether the object (as network) contains given IP
+		"""
+		return isinstance(ip, IPAddr) and (ip == self or ip.isInNet(self))
+
 	# Pre-calculated map: addr to maskplen
 	def __getMaskMap():
 		m6 = (1 << 128)-1

fail2ban/tests/fail2banclienttestcase.py

@@ -1179,6 +1179,21 @@ class Fail2banServerTest(Fail2banClientServerBase):
 			"[test-jail1] Unban 192.0.2.8",
 			"192.0.2.100/31 is not banned", all=True, wait=MID_WAITTIME)
 
+		# ban/unban subnet(s):
+		self.pruneLog("[test-phase 6c]")
+		self.execCmd(SUCCESS, startparams,
+			"--async", "set", "test-jail1", "banip", "192.0.2.96/28", "192.0.2.112/28")
+		self.assertLogged(
+			"[test-jail1] Ban 192.0.2.96/28",
+			"[test-jail1] Ban 192.0.2.112/28", all=True, wait=MID_WAITTIME
+		)
+		self.execCmd(SUCCESS, startparams,
+			"--async", "set", "test-jail1", "unbanip", "192.0.2.64/26"); # contains both subnets .96/28 and .112/28
+		self.assertLogged(
+			"[test-jail1] Unban 192.0.2.96/28",
+			"[test-jail1] Unban 192.0.2.112/28", all=True, wait=MID_WAITTIME
+		)
+
 		# reload all (one jail) with unban all:
 		self.pruneLog("[test-phase 7]")
 		self.execCmd(SUCCESS, startparams,